Bug 8936 - axis new security issue CVE-2012-5784
: axis new security issue CVE-2012-5784
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/535742/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-01 19:57 CET by David Walser
Modified: 2014-05-08 18:06 CEST (History)
3 users (show)

See Also:
Source RPM: axis-1.4-18.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-01 19:57:40 CET
Fedora has issued an advisory on January 23:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097912.html

Mageia 2 is also affected.
Comment 1 David Walser 2013-02-02 00:11:22 CET
I fixed this in Cauldron.

D Morgan, I'll need you to look at this for Mageia 2.
Comment 2 David Walser 2013-02-20 18:50:02 CET
RedHat has issued an advisory for this on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0269.html
Comment 3 D Morgan 2013-06-25 01:03:08 CEST
fixed on svn
Comment 4 David Walser 2013-06-25 01:15:47 CEST
Thanks D Morgan!

Advisory:
========================

Updated axis packages fix security vulnerability:

Apache Axis did not verify that the server hostname matched the domain name
in the subject's Common Name (CN) or subjectAltName field in X.509
certificates. This could allow a man-in-the-middle attacker to spoof an SSL
server if they had a certificate that was valid for any domain name
(CVE-2012-5784).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
https://rhn.redhat.com/errata/RHSA-2013-0269.html
========================

Updated packages in core/updates_testing:
========================
axis-1.4-6.1.mga2
axis-javadoc-1.4-6.1.mga2
axis-manual-1.4-6.1.mga2

from axis-1.4-6.1.mga2.src.rpm
Comment 6 Dave Hodgins 2013-07-01 22:52:44 CEST
As with other java development updates, we don't have anyone who knows how
to test this properly, so all we can do is confirm that it installs cleanly.

Could someone from the sysadmin team push 8936.adv
Comment 7 Nicolas Vigier 2013-07-06 16:29:18 CEST
http://advisories.mageia.org/MGASA-2013-0200.html

Note You need to log in before you can comment on or make changes to this bug.