drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Prüfung von Zertifikaten in AXIS
Name: |
Mangelnde Prüfung von Zertifikaten in AXIS |
|
ID: |
FEDORA-2013-1194 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 17 |
|
Datum: |
Sa, 2. Februar 2013, 08:35 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784 |
|
Applikationen: |
AXIS |
|
Originalnachricht |
Name : axis Product : Fedora 17 Version : 1.4 Release : 19.fc17 URL : http://ws.apache.org/axis/ Summary : SOAP implementation in Java Description : Apache AXIS is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.
From the draft W3C specification:
SOAP is a lightweight protocol for exchange of information in a decentralized, distributed environment. It is an XML based protocol that consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses.
This project is a follow-on to the Apache SOAP project.
------------------------------------------------------------------------------- - Update Information:
This update fixes a security vulnerability that caused axis not to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allowed man-in-the-middle attackers to spoof SSL servers via andaarbitrary valid certificate (CVE-2012-5784). ------------------------------------------------------------------------------- - ChangeLog:
* Mon Jan 21 2013 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:1.4-19 - Add missing connection hostname check against X.509 certificate name - Resolves: CVE-2012-5784 * Tue Jul 31 2012 Andy Grimm <agrimm@gmail.com> - 0:1.4-18 - replace POMs with newer upstream versions using org.apache.axis gid * Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0:1.4-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Tue Jun 26 2012 Gerard Ryan <galileo@gedoraproject.org> 0:1.4-16 - Remove problematic comma from axis.jar manifest * Sat Jun 23 2012 Gerard Ryan <galileo@gedoraproject.org> 0:1.4-15 - Fix existing OSGI manifests and add manifest to axis-ant. * Fri May 11 2012 Marek Goldmann <mgoldman@redhat.com> 0:1.4-14 - Changed dependency from axis-wsdl4j to wsdl4j * Mon Apr 30 2012 Alexander Kurtakov <akurtako@redhat.com> 0:1.4-13 - Revert RHEL conditionals - we are not getting complete build with them. * Mon Apr 30 2012 Alexander Kurtakov <akurtako@redhat.com> 0:1.4-12 - Conditionalize xmlbeans/xml-security for RHEL. ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #873252 - CVE-2012-5784 axis: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate https://bugzilla.redhat.com/show_bug.cgi?id=873252 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update axis' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|