[ubuntu/utopic-proposed] axis 1.4-21 (Accepted)
Artur Rona
ari-tczew at tlen.pl
Tue Oct 7 09:19:41 UTC 2014
axis (1.4-21) unstable; urgency=high
* Team upload.
* Fix CVE-2014-3596.
- Replace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
both CVE issues. Thanks to Raphael Hertzog for the report.
- The getCN function in Apache Axis 1.4 and earlier does not properly
verify that the server hostname matches a domain name in the subject's
Common Name (CN) or subjectAltName field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof SSL servers via a
certificate with a subject that specifies a common name in a field
that is not the CN field. NOTE: this issue exists because of an
incomplete fix for CVE-2012-5784.
- (Closes: #762444)
* Declare compliance with Debian Policy 3.9.6.
* Use compat level 9 and require debhelper >=9.
* Use canonical VCS fields.
Date: 2014-10-01 10:10:48.805795+00:00
Changed-By: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Signed-By: Artur Rona <ari-tczew at tlen.pl>
https://launchpad.net/ubuntu/utopic/+source/axis/1.4-21
-------------- next part --------------
Sorry, changesfile not available.
More information about the Utopic-changes
mailing list