From https://bugzilla.redhat.com/show_bug.cgi?id=873252 : Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5784 to the following vulnerability: Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. References: [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf [2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html [3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml
CVE-2012-5784 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5784): Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
I can't (or actually won't) mark this security bug as a DUPLICATE to avoid getting into troubles but this is a duplicate of bug 520304. You can read in the 1st comment posted by Ago: "From ${URL} : It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject." The aformentioned bug is undergoing stabilisation. @security team: please close this bug.
(In reply to Patrice Clement from comment #2) > I can't (or actually won't) mark this security bug as a DUPLICATE to avoid > getting into troubles but this is a duplicate of bug 520304. Actually bug 520304 is a fix of the incomplete bug that was part of this one. I am setting the dependency on bug the other bug since the secondary bug will fix both.
closing bug with Bug 520304 as it was voted no for the same vulnerability. Thank you all.