axis: CVE-2018-8032: cross-site scripting (XSS) attack in the default servlet/services

Debian Bug report logs - #905328
axis: CVE-2018-8032: cross-site scripting (XSS) attack in the default servlet/services

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: axis: CVE-2018-8032: cross-site scripting (XSS) attack in the default servlet/services

Date: Fri, 03 Aug 2018 09:36:33 +0200

Source: axis
Version: 1.4-1
Severity: important
Tags: patch security upstream
Forwarded: https://issues.apache.org/jira/browse/AXIS-2924

Hi,

The following vulnerability was published for axis.

CVE-2018-8032[0]:
| Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site
| scripting (XSS) attack in the default servlet/services.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8032
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8032
[1] https://issues.apache.org/jira/browse/AXIS-2924

Regards,
Salvatore

Message #12 received at 905328-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 905328-close@bugs.debian.org

Subject: Bug#905328: fixed in axis 1.4-28

Date: Mon, 03 Dec 2018 07:49:09 +0000

Source: axis
Source-Version: 1.4-28

We believe that the bug you reported is fixed in the latest version of
axis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905328@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated axis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 03 Dec 2018 08:25:51 +0100
Source: axis
Binary: libaxis-java libaxis-java-doc
Architecture: source
Version: 1.4-28
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libaxis-java - SOAP implementation in Java
 libaxis-java-doc - SOAP implementation in Java (documentation)
Closes: 905328 911187
Changes:
 axis (1.4-28) unstable; urgency=medium
 .
   * Fixed the build failure with Java 11 (Closes: #911187)
   * Fixed CVE-2018-8032: Cross-site scripting (XSS) attack in the default
     servlet/services (Closes: #905328)
   * Fixed the generation of the javadoc
   * Standards-Version updated to 4.2.1
Checksums-Sha1:
 0ff7606a40b131b999abb21ea8c5346bbbfd2831 2217 axis_1.4-28.dsc
 8a5ccb69d3cc2d60d55fef5e9380800942ff5b81 13740 axis_1.4-28.debian.tar.xz
 e73c2d28d34bf0f50b303849d2a9b4e8528d6110 11291 axis_1.4-28_source.buildinfo
Checksums-Sha256:
 420f3b36d63fef8ecc70f4d08f5d46eb4ecbfe6c881db5f01a912864a269e779 2217 axis_1.4-28.dsc
 981edf6de06ae78662390e5caac7f07e6c7e01689107810f0e05da7fcb82cb35 13740 axis_1.4-28.debian.tar.xz
 2789c00248bec1a8578b3aef7afa5bb2069cb4bd645a62e7449cb3ca24068d41 11291 axis_1.4-28_source.buildinfo
Files:
 7b3b7aef0f5baae2f4d4939a24a55016 2217 java optional axis_1.4-28.dsc
 59fbaa3794a7070f779d15e344b8edc0 13740 java optional axis_1.4-28.debian.tar.xz
 12ccf5cccc6d358bbc382cd23fa02be6 11291 java optional axis_1.4-28_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlwE27gSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsBLUP/R2xWdmFzoOagUr6mpkV6DaK7JZ+8SRi
W+idNvYZLkGmSAu+kP9jbhoNPexaf1CLi5ddJ3TYt35tC3mKhOw63HdkM8DSZbgR
ZgFUUtvSlso5lfrgFACiUtUNObur7PO8q6Zs6ZjoRCbAZvhr68Ox1kOx0djHROw/
bpJaaj5SyiuisGqFzZtPMx+0Pg3zi6HhJ8wTj3Dz5zyt7UdfIc0ZKljN5G//XjLF
upP8lsInN/Z82W8jYL+5gJkAm/Fyz7uDAFXZjX0bk9CnWIMS0yhIvFTyWzD6EAeY
VIiafZZ79ixeMv0+Dkvk1Q4fMFlSCUktULfBv6SDzU8Q3uSb4dOVmdTiiFN3+fdp
h9uCWfSm9f6tBHrg8/qK7x4ojbfN4LhqukKAIpK/mxi+G8Q4UbR3knCaWl1w42hk
WJLzB0ZyQgFD2qlP2NS0rSy/BJ3YKR35s6/e0t00yn+Yuo8RH5Fxsqyjk+vn5toW
vu+VRYA7wrfzvl5qGps72sMAdOdZ0s2bAu7dQz935sVgEBGtyFu72FtE2zL1rdWR
CrbRR09HOki4gYDFcM6STmbvyUpgNo/qhLuSX5GF0CIosOvLN3R7OdeBdAMQ6QXF
dLgKS3ssMXkIx+QHxMNndyEOOJZulrqO0JkYjoNwz/83GshspFPfu/8qvwFFyvkY
OH8P/LZwPhAt
=oRmW
-----END PGP SIGNATURE-----

Message #15 received at 905328-submitter@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 905328-submitter@bugs.debian.org

Subject: Bug #905328 in axis marked as pending

Date: Mon, 03 Dec 2018 07:31:18 +0000

Control: tag -1 pending

Hello,

Bug #905328 in axis reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/java-team/axis/commit/8f88b95e48799b0f2941427c7bd06e543a27b018

------------------------------------------------------------------------
Fixed CVE-2018-8032: Cross-site scripting (XSS) attack in the default servlet/services (Closes: #905328)

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/905328

Send a report that this bug log contains spam.