Control: tags -1 patch Hi,
I have prepared a new revision for axis which addresses the security vulnerability, bug #762444, and I am looking for someone who wants to review and upload the package. The package can either be found at mentors.debian.net http://mentors.debian.net/debian/pool/main/a/axis/axis_1.4-21.dsc or in the SVN repository. I think this issue warrants a DSA and I also intend to prepare a fix for wheezy soonish. Changelog: * Team upload. * Fix CVE-2014-3596. - Relace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes both CVE issues. Thanks to Raphael Hertzog for the report. - The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. - (Closes: #762444) * Declare compliance with Debian Policy 3.9.6. * Use compat level 9 and require debhelper >=9. * Use canonical VCS fields. Markus
signature.asc
Description: Digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.