commit axis for openSUSE:Factory

Thu, 08 Feb 2024 10:05:57 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package axis for openSUSE:Factory checked in 
at 2024-02-08 19:03:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/axis (Old)
 and      /work/SRC/openSUSE:Factory/.axis.new.1815 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "axis"

Thu Feb  8 19:03:54 2024 rev:40 rq:1145180 version:1.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/axis/axis.changes        2022-03-24 
22:58:39.072288227 +0100
+++ /work/SRC/openSUSE:Factory/.axis.new.1815/axis.changes      2024-02-08 
19:05:41.082767753 +0100
@@ -1,0 +2,9 @@
+Thu Feb  8 12:32:59 UTC 2024 - Gus Kenion <gken...@suse.com>
+
+ - Security fix [bsc#1218605, CVE-2023-51441] SSRF when untrusted
+   input is passed to the service admin HTTP API
+   * Added axis-CVE-2023-51441.patch
+ - Update axis-jdk11.patch, remove references to files that are
+   no longer present.
+
+-------------------------------------------------------------------

New:
----
  axis-CVE-2023-51441.patch

BETA DEBUG BEGIN:
  New:   input is passed to the service admin HTTP API
   * Added axis-CVE-2023-51441.patch
 - Update axis-jdk11.patch, remove references to files that are
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ axis.spec ++++++
--- /var/tmp/diff_new_pack.SAPscp/_old  2024-02-08 19:05:41.742791660 +0100
+++ /var/tmp/diff_new_pack.SAPscp/_new  2024-02-08 19:05:41.742791660 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package axis
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -52,6 +52,8 @@
 # PATCH-FIX-UPSTREAM bsc#1134598 CVE-2012-5784 CVE-2014-3596 missing 
connection hostname check against X.509 certificate name
 Patch9:         axis-CVE-2014-3596.patch
 Patch10:        unimplemented-saaj13-methods.patch
+# PATCH-FIX-UPSTREAM bsc#1218605 CVE-2023-51441 SSRF when untrusted input is 
passed to the service admin HTTP API
+Patch11:        axis-CVE-2023-51441.patch
 BuildRequires:  ant
 BuildRequires:  ant-jdepend
 BuildRequires:  antlr
@@ -108,6 +110,7 @@
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 # Remove provided binaries
 find . "(" -name "*.jar" -o -name "*.zip" -o -name "*.class" ")" -delete

++++++ axis-CVE-2023-51441.patch ++++++
Index: axis-1_4/src/org/apache/axis/client/ServiceFactory.java
===================================================================
--- axis-1_4.orig/src/org/apache/axis/client/ServiceFactory.java
+++ axis-1_4/src/org/apache/axis/client/ServiceFactory.java
@@ -17,9 +17,11 @@
 package org.apache.axis.client;
 
 import org.apache.axis.EngineConfiguration;
+import org.apache.axis.components.logger.LogFactory;
 import org.apache.axis.configuration.EngineConfigurationFactoryFinder;
 import org.apache.axis.utils.ClassUtils;
 import org.apache.axis.utils.Messages;
+import org.apache.commons.logging.Log;
 
 import javax.naming.Context;
 import javax.naming.InitialContext;
@@ -47,6 +49,9 @@ import java.util.Properties;
 public class ServiceFactory extends javax.xml.rpc.ServiceFactory
         implements ObjectFactory
 {
+    protected static Log log =
+        LogFactory.getLog(ServiceFactory.class.getName());
+
     // Constants for RefAddrs in the Reference.
     public static final String SERVICE_CLASSNAME  = "service classname";
     public static final String WSDL_LOCATION      = "WSDL location";
@@ -106,6 +111,11 @@ public class ServiceFactory extends java
         
         if (context != null) {
             String name = (String)environment.get("jndiName");
+
+           if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || 
name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 
|| name.toUpperCase().indexOf("JMX")!=-1) || 
name.toUpperCase().indexOf("JRMP")!=-1 || 
name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1 
|| name.toUpperCase().indexOf("IIOP")!=-1 || 
name.toUpperCase().indexOf("CORBANAME")!=-1) {
+                log.warn("returning null, jndiName received by 
ServiceFactory.getService() is not supported by this method: " + name);
+               return null;
+            }
             if (name == null) {
                 name = "axisServiceName";
             }
@@ -120,6 +130,7 @@ public class ServiceFactory extends java
                     context.bind(name, service);
                 } catch (NamingException e1) {
                     // !!! Couldn't do it, what should we do here?
+                   return null;
                 }
             }
         } else {

++++++ axis-jdk11.patch ++++++
++++ 765 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/axis/axis-jdk11.patch
++++ and /work/SRC/openSUSE:Factory/.axis.new.1815/axis-jdk11.patch

Reply via email to