Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 520304 (CVE-2014-3596)

Summary: <www-servers/axis-1.4-r2: Hostname verification susceptible to MITM attack (CVE-2014-3596)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1129935
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 441904    

Description Agostino Sarubbo gentoo-dev 2014-08-20 09:46:13 UTC 
From ${URL} :

It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server 
hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a 
Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially 
crafted subject.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-09-09 22:59:06 UTC 
CVE-2014-3596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3596):
  The getCN function in Apache Axis 1.4 and earlier does not properly verify
  that the server hostname matches a domain name in the subject's Common Name
  (CN) or subjectAltName field of the X.509 certificate, which allows
  man-in-the-middle attackers to spoof SSL servers via a certificate with a
  subject that specifies a common name in a field that is not the CN field. 
  NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-09-09 23:00:48 UTC 
Upstream Bug:
https://issues.apache.org/jira/browse/AXIS-2905
Comment 3 Patrice Clement (RETIRED) gentoo-dev 2015-06-13 21:26:38 UTC 
+*axis-1.4-r2 (13 Jun 2015)
+
+  13 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +axis-1.4-r2.ebuild,
+  +files/axis-1.4-JSSESocketFactory.java.patch:
+  EAPI 5 bump. Add patch against CVE-2014-3596. Fix security bug 520304.
+

Arch teams,

Please stabilise:
=www-server/axis-1.4-r2

Target arches:
amd64 x86

Thanks.
Comment 4 Agostino Sarubbo gentoo-dev 2015-06-15 08:12:14 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-06-15 08:13:11 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Patrice Clement (RETIRED) gentoo-dev 2015-06-15 08:18:33 UTC 
+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -axis-1.4-r1.ebuild:
+  Remove old.
+
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-15 13:32:02 UTC 
Thanks!

GLSA Vote: No
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 02:51:38 UTC 
GLSA Vote: No

Thank you closing - noglsa.