Insecure certificate validation CVE-2014-3596

Debian Bug report logs - #762444
Insecure certificate validation CVE-2014-3596

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: submit@bugs.debian.org

Subject: Insecure certificate validation CVE-2014-3596

Date: Mon, 22 Sep 2014 13:59:56 +0200

Package: axis
Severity: grave
Tags: security

Hi,
the following vulnerability was published for axis.

CVE-2014-3596[0]:
| The getCN function in Apache Axis 1.4 and earlier does not properly
| verify that the server hostname matches a domain name in the subject's
| Common Name (CN) or subjectAltName field of the X.509 certificate,
| which allows man-in-the-middle attackers to spoof SSL servers via a
| certificate with a subject that specifies a common name in a field
| that is not the CN field.  NOTE: this issue exists because of an
| incomplete fix for CVE-2012-5784.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596
    https://security-tracker.debian.org/tracker/CVE-2014-3596
    https://issues.apache.org/jira/browse/AXIS-2905
Please adjust the affected versions in the BTS as needed.

As is turns out, the fix for CVE-2012-5784 was incomplete and
there's an updated patch available provided by RedHat:
https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch

Please update replace debian/patches/06-fix-CVE-2012-5784.patch with this
one.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Message #10 received at 762444@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: debian-java@lists.debian.org

Cc: 762444@bugs.debian.org

Subject: RFS: axis 1.4-21 [RC]

Date: Thu, 25 Sep 2014 23:00:47 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 patch

Hi,

I have prepared a new revision for axis which addresses the security
vulnerability, bug #762444, and I am looking for someone who wants to
review and upload the package.

The package can either be found at mentors.debian.net

http://mentors.debian.net/debian/pool/main/a/axis/axis_1.4-21.dsc

or in the SVN repository.

I think this issue warrants a DSA and I also intend to prepare a fix for
wheezy soonish.

Changelog:

* Team upload.
* Fix CVE-2014-3596.
  - Relace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
    both CVE issues. Thanks to Raphael Hertzog for the report.
  - The getCN function in Apache Axis 1.4 and earlier does not properly
    verify that the server hostname matches a domain name in the subject's
    Common Name (CN) or subjectAltName field of the X.509 certificate,
    which allows man-in-the-middle attackers to spoof SSL servers via a
    certificate with a subject that specifies a common name in a field
    that is not the CN field.  NOTE: this issue exists because of an
    incomplete fix for CVE-2012-5784.
  - (Closes: #762444)
* Declare compliance with Debian Policy 3.9.6.
* Use compat level 9 and require debhelper >=9.
* Use canonical VCS fields.

Markus

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 762444-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 762444-close@bugs.debian.org

Subject: Bug#762444: fixed in axis 1.4-21

Date: Wed, 01 Oct 2014 03:19:16 +0000

Source: axis
Source-Version: 1.4-21

We believe that the bug you reported is fixed in the latest version of
axis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 762444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated axis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 25 Sep 2014 19:45:08 +0000
Source: axis
Binary: libaxis-java libaxis-java-doc
Architecture: source all
Version: 1.4-21
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description:
 libaxis-java - SOAP implementation in Java
 libaxis-java-doc - SOAP implementation in Java (documentation)
Closes: 762444
Changes:
 axis (1.4-21) unstable; urgency=high
 .
   * Team upload.
   * Fix CVE-2014-3596.
     - Replace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
       both CVE issues. Thanks to Raphael Hertzog for the report.
     - The getCN function in Apache Axis 1.4 and earlier does not properly
       verify that the server hostname matches a domain name in the subject's
       Common Name (CN) or subjectAltName field of the X.509 certificate,
       which allows man-in-the-middle attackers to spoof SSL servers via a
       certificate with a subject that specifies a common name in a field
       that is not the CN field.  NOTE: this issue exists because of an
       incomplete fix for CVE-2012-5784.
     - (Closes: #762444)
   * Declare compliance with Debian Policy 3.9.6.
   * Use compat level 9 and require debhelper >=9.
   * Use canonical VCS fields.
Checksums-Sha1:
 95cc11b21cf6819bc68eb8617806a454f4d98cfa 2246 axis_1.4-21.dsc
 263e0ff0b63af097bf4c3f85e7843d35d8fbe33d 11476 axis_1.4-21.debian.tar.xz
 dbd687ccba324618a07bf98505658c14e9acca9b 1495266 libaxis-java_1.4-21_all.deb
 f1d5d295146affa2c2c8125e8606f4c74f948483 1064692 libaxis-java-doc_1.4-21_all.deb
Checksums-Sha256:
 e97a76ebbb1b890b42c722db0343096d5d752081b264c8ec72998da38d39bbf5 2246 axis_1.4-21.dsc
 4f4f2750da840c330cbbe1fca32955c16fc8220d501d5db09601df7089c85677 11476 axis_1.4-21.debian.tar.xz
 3230be2f258dfcb953f2456eab192cbe5b9caaae224abef817d9f9cca9d0743b 1495266 libaxis-java_1.4-21_all.deb
 3946539a0c3eab191cf743b8a667bcd98bc8cd070eb6cbfc04d04730cb5d7038 1064692 libaxis-java-doc_1.4-21_all.deb
Files:
 ea9e4da875b544aaf75b87b468291b1c 1495266 java optional libaxis-java_1.4-21_all.deb
 b7b91fd7d069cd949bc3be444356dc14 1064692 doc optional libaxis-java-doc_1.4-21_all.deb
 9a5ece1c68e6e59ca50f345e92ea07e3 2246 java optional axis_1.4-21.dsc
 9738cc1034ad3534d9c9cb556c4b467b 11476 java optional axis_1.4-21.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJUK2snAAoJEGIODQuJV82l72wP/A1mtcF7CE7kDza++HwT/JCz
/MzHKs8IEy7M77EVInF9xDWzEiVt+dbeUUOfNe/znm1Cu7hJt/MqWPepStCRmGp2
PYLyC8guZlxMGxoNXBXIgD6v2LTBhanMaQ3SmyDNzZeGgSUkjR2tt+SSseIqH5MY
+JHrjaFlxUXM8c3Sjxr4CQyQEA9adzjT5Vq4zUrIVOph4PkxLYcVRgq1ZfVQy0ed
8D2fiLXvOOC5Slun9aouVcZYBR8LH6nP8QDezKENl/4InQouB/UJ+9HhGAwCEoBr
OlaF5a2bNW5TevyS3Tr3H2PFhIvt67XfeVX+Ag431wtEb0kfoRWtzU33ywbiGxhL
jdvoguShbqew0h7Q/uduR9+lu8jpzKCyqDf7UmBqhlj9H0unADLAGJukXtVWgwgC
krtapqtquj8/mY17inrANa/xhk7pBjJE5Q5pJT/Z6PwvgoQwKkLbGkqbJrkNe3Tk
fbSI63ocIJRx2tabwFBKIbLQSOd91r7hqw7HEq8DVXtLcC4k40dL0tmUL778Yh9L
+2mYfyq/4jRLUsnbpK4aTBe43jV/hqh/KHoFSbqQkuHPgoddbn8IJyeaxfkKq9fQ
eWDKpAbWFy8KWGsa47YFRjyENJrH4A1yS1Rzx2uJBXS8xbPPyDKMQ0Tkxl+io9LS
UpopE/a7PFLG7f5sT7KU
=rhQE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.