Debian Bug report logs -
#905328
axis: CVE-2018-8032: cross-site scripting (XSS) attack in the default servlet/services
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#905328
; Package src:axis
.
(Fri, 03 Aug 2018 07:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 03 Aug 2018 07:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: axis
Version: 1.4-1
Severity: important
Tags: patch security upstream
Forwarded: https://issues.apache.org/jira/browse/AXIS-2924
Hi,
The following vulnerability was published for axis.
CVE-2018-8032[0]:
| Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site
| scripting (XSS) attack in the default servlet/services.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8032
[1] https://issues.apache.org/jira/browse/AXIS-2924
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Thu, 09 Aug 2018 17:27:12 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>
:
You have taken responsibility.
(Mon, 03 Dec 2018 07:51:58 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 03 Dec 2018 07:51:58 GMT) (full text, mbox, link).
Message #12 received at 905328-close@bugs.debian.org (full text, mbox, reply):
Source: axis
Source-Version: 1.4-28
We believe that the bug you reported is fixed in the latest version of
axis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 905328@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated axis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 03 Dec 2018 08:25:51 +0100
Source: axis
Binary: libaxis-java libaxis-java-doc
Architecture: source
Version: 1.4-28
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libaxis-java - SOAP implementation in Java
libaxis-java-doc - SOAP implementation in Java (documentation)
Closes: 905328 911187
Changes:
axis (1.4-28) unstable; urgency=medium
.
* Fixed the build failure with Java 11 (Closes: #911187)
* Fixed CVE-2018-8032: Cross-site scripting (XSS) attack in the default
servlet/services (Closes: #905328)
* Fixed the generation of the javadoc
* Standards-Version updated to 4.2.1
Checksums-Sha1:
0ff7606a40b131b999abb21ea8c5346bbbfd2831 2217 axis_1.4-28.dsc
8a5ccb69d3cc2d60d55fef5e9380800942ff5b81 13740 axis_1.4-28.debian.tar.xz
e73c2d28d34bf0f50b303849d2a9b4e8528d6110 11291 axis_1.4-28_source.buildinfo
Checksums-Sha256:
420f3b36d63fef8ecc70f4d08f5d46eb4ecbfe6c881db5f01a912864a269e779 2217 axis_1.4-28.dsc
981edf6de06ae78662390e5caac7f07e6c7e01689107810f0e05da7fcb82cb35 13740 axis_1.4-28.debian.tar.xz
2789c00248bec1a8578b3aef7afa5bb2069cb4bd645a62e7449cb3ca24068d41 11291 axis_1.4-28_source.buildinfo
Files:
7b3b7aef0f5baae2f4d4939a24a55016 2217 java optional axis_1.4-28.dsc
59fbaa3794a7070f779d15e344b8edc0 13740 java optional axis_1.4-28.debian.tar.xz
12ccf5cccc6d358bbc382cd23fa02be6 11291 java optional axis_1.4-28_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlwE27gSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsBLUP/R2xWdmFzoOagUr6mpkV6DaK7JZ+8SRi
W+idNvYZLkGmSAu+kP9jbhoNPexaf1CLi5ddJ3TYt35tC3mKhOw63HdkM8DSZbgR
ZgFUUtvSlso5lfrgFACiUtUNObur7PO8q6Zs6ZjoRCbAZvhr68Ox1kOx0djHROw/
bpJaaj5SyiuisGqFzZtPMx+0Pg3zi6HhJ8wTj3Dz5zyt7UdfIc0ZKljN5G//XjLF
upP8lsInN/Z82W8jYL+5gJkAm/Fyz7uDAFXZjX0bk9CnWIMS0yhIvFTyWzD6EAeY
VIiafZZ79ixeMv0+Dkvk1Q4fMFlSCUktULfBv6SDzU8Q3uSb4dOVmdTiiFN3+fdp
h9uCWfSm9f6tBHrg8/qK7x4ojbfN4LhqukKAIpK/mxi+G8Q4UbR3knCaWl1w42hk
WJLzB0ZyQgFD2qlP2NS0rSy/BJ3YKR35s6/e0t00yn+Yuo8RH5Fxsqyjk+vn5toW
vu+VRYA7wrfzvl5qGps72sMAdOdZ0s2bAu7dQz935sVgEBGtyFu72FtE2zL1rdWR
CrbRR09HOki4gYDFcM6STmbvyUpgNo/qhLuSX5GF0CIosOvLN3R7OdeBdAMQ6QXF
dLgKS3ssMXkIx+QHxMNndyEOOJZulrqO0JkYjoNwz/83GshspFPfu/8qvwFFyvkY
OH8P/LZwPhAt
=oRmW
-----END PGP SIGNATURE-----
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#905328.
(Mon, 03 Dec 2018 07:52:05 GMT) (full text, mbox, link).
Message #15 received at 905328-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #905328 in axis reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/java-team/axis/commit/8f88b95e48799b0f2941427c7bd06e543a27b018
------------------------------------------------------------------------
Fixed CVE-2018-8032: Cross-site scripting (XSS) attack in the default servlet/services (Closes: #905328)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/905328
Added tag(s) pending.
Request was from Emmanuel Bourg <ebourg@apache.org>
to 905328-submitter@bugs.debian.org
.
(Mon, 03 Dec 2018 07:52:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 05 Jan 2019 07:26:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:07:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.