Debian Bug report logs -
#929266
axis: CVE-2019-0227
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929266
; Package axis
.
(Mon, 20 May 2019 10:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Beucler <beuc@beuc.net>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 20 May 2019 10:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: axis
X-Debbugs-CC: team@security.debian.org
Tags: security
Hi,
The following vulnerability was published for axis.
CVE-2019-0227[0]:
| A Server Side Request Forgery (SSRF) vulnerability affected the Apache
| Axis 1.4 distribution that was last released in 2006. Security and bug
| commits commits continue in the projects Axis 1.x Subversion
| repository, legacy users are encouraged to build from source. The
| successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
| vulnerable to this issue.
The vulnerable 'StockQuoteService.jws' is not present in Debian binary
packages, however a SSRF mitigation was also committed [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-0227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227
[1] https://github.com/apache/axis1-java/commit/35511b872a6460129cfc0cd35baaccbd820977b5
Cheers!
Sylvain Beucler
Debian LTS Team
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 20 May 2019 12:09:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929266
; Package axis
.
(Thu, 23 May 2019 21:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 23 May 2019 21:45:03 GMT) (full text, mbox, link).
Message #12 received at 929266@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler <beuc@beuc.net> wrote:
> Package: axis
> X-Debbugs-CC: team@security.debian.org
> Tags: security
>
> Hi,
>
> The following vulnerability was published for axis.
>
> CVE-2019-0227[0]:
> | A Server Side Request Forgery (SSRF) vulnerability affected the Apache
> | Axis 1.4 distribution that was last released in 2006. Security and bug
> | commits commits continue in the projects Axis 1.x Subversion
> | repository, legacy users are encouraged to build from source. The
> | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
> | vulnerable to this issue.
>
> The vulnerable 'StockQuoteService.jws' is not present in Debian binary
> packages, however a SSRF mitigation was also committed [1].
I believe the SSRF mitigation should be viewed in the context of the
vulnerable StockQuoteService.jws file. Since we don't ship this file in
our binary packages, I think it is correct to mark the issue as
unimportant. However I agree it is sensible to change
uconn.setInstanceFollowRedirects(true) to
uconn.setInstanceFollowRedirects(false).
I don't think it is likely that this issue is somehow exploited when
using our Debian package. We use axis mainly as a build-dependency for
other packages. We could change the default for
uconn.setInstanceFollowRedirects in Buster but keep it this way in
Jessie and Stretch.
It is nice to know that there is ongoing work on axis1. I think we could
update this package after the freeze and track the new upstream
development at
https://github.com/apache/axis1-java/
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929266
; Package axis
.
(Fri, 24 May 2019 07:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Beucler <beuc@beuc.net>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 24 May 2019 07:18:05 GMT) (full text, mbox, link).
Message #17 received at 929266@bugs.debian.org (full text, mbox, reply):
Hi!
On Thu, May 23, 2019 at 11:42:51PM +0200, Markus Koschany wrote:
> On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler <beuc@beuc.net> wrote:
> > Package: axis
> > X-Debbugs-CC: team@security.debian.org
> > Tags: security
> >
> > The following vulnerability was published for axis.
> >
> > CVE-2019-0227[0]:
> > | A Server Side Request Forgery (SSRF) vulnerability affected the Apache
> > | Axis 1.4 distribution that was last released in 2006. Security and bug
> > | commits commits continue in the projects Axis 1.x Subversion
> > | repository, legacy users are encouraged to build from source. The
> > | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
> > | vulnerable to this issue.
> >
> > The vulnerable 'StockQuoteService.jws' is not present in Debian binary
> > packages, however a SSRF mitigation was also committed [1].
>
> I believe the SSRF mitigation should be viewed in the context of the
> vulnerable StockQuoteService.jws file.
AFAIU the vulnerable StockQuoteService.jws is fixed by its removal,
and similar XMLUtils-based services need the mitigation.
In either case the root SSRF issue is not fixed.
> Since we don't ship this file in
> our binary packages, I think it is correct to mark the issue as
> unimportant. However I agree it is sensible to change
> uconn.setInstanceFollowRedirects(true) to
> uconn.setInstanceFollowRedirects(false).
>
> I don't think it is likely that this issue is somehow exploited when
> using our Debian package. We use axis mainly as a build-dependency for
> other packages. We could change the default for
> uconn.setInstanceFollowRedirects in Buster but keep it this way in
> Jessie and Stretch.
I trust your judgement on this.
> It is nice to know that there is ongoing work on axis1. I think we could
> update this package after the freeze and track the new upstream
> development at
>
> https://github.com/apache/axis1-java/
The canonical repo is at
https://svn.apache.org/viewvc/axis/axis1/java/trunk/
(it would be good it Apache updated their SVN page..)
Cheers!
Sylvain
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:11:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.