From ${URL} : It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-3596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3596): The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Upstream Bug: https://issues.apache.org/jira/browse/AXIS-2905
+*axis-1.4-r2 (13 Jun 2015) + + 13 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +axis-1.4-r2.ebuild, + +files/axis-1.4-JSSESocketFactory.java.patch: + EAPI 5 bump. Add patch against CVE-2014-3596. Fix security bug 520304. + Arch teams, Please stabilise: =www-server/axis-1.4-r2 Target arches: amd64 x86 Thanks.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
+ 15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -axis-1.4-r1.ebuild: + Remove old. +
Thanks! GLSA Vote: No
GLSA Vote: No Thank you closing - noglsa.
