Markus Koschany pushed to branch master at Debian Java Maintainers / axis
Commits: 4e5d0e94 by Markus Koschany at 2023-10-17T00:50:18+02:00 Fix CVE-2023-40743 - - - - - 22eb305d by Markus Koschany at 2023-10-17T00:58:23+02:00 Switch to debhelper-compat = 13. - - - - - 6fde825e by Markus Koschany at 2023-10-17T00:58:37+02:00 Declare compliance with Debian Policy 4.6.2. - - - - - c8ed7b83 by Markus Koschany at 2023-10-17T01:00:40+02:00 Update debian/copyright - - - - - 8cf4f888 by Markus Koschany at 2023-10-17T01:02:37+02:00 Update changelog - - - - - 6867c251 by Markus Koschany at 2023-10-17T01:14:15+02:00 Install the NOTICE file. - - - - - 7 changed files: - debian/changelog - − debian/compat - debian/control - debian/copyright - + debian/libaxis-java.docs - + debian/patches/CVE-2023-40743.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,17 @@ +axis (1.4-29) unstable; urgency=medium + + * Team upload. + * Fix CVE-2023-40743: + When integrating Apache Axis 1.x in an application, it may not have been + obvious that looking up a service through "ServiceFactory.getService" + allows potentially dangerous lookup mechanisms such as LDAP. When passing + untrusted input to this API method, this could expose the application to + DoS, SSRF and even attacks leading to RCE. (Closes: #1051288) + * Switch to debhelper-compat = 13. + * Declare compliance with Debian Policy 4.6.2. + + -- Markus Koschany <a...@debian.org> Tue, 17 Oct 2023 01:00:51 +0200 + axis (1.4-28) unstable; urgency=medium * Fixed the build failure with Java 11 (Closes: #911187) ===================================== debian/compat deleted ===================================== @@ -1 +0,0 @@ -11 ===================================== debian/control ===================================== @@ -9,7 +9,7 @@ Uploaders: Build-Depends: ant-optional, bnd (>= 2.1.0), - debhelper (>= 11~), + debhelper-compat (= 13), default-jdk, libcommons-discovery-java, libcommons-httpclient-java, @@ -18,7 +18,7 @@ Build-Depends: libservlet3.1-java, libwsdl4j-java, maven-repo-helper -Standards-Version: 4.2.1 +Standards-Version: 4.6.2 Vcs-Git: https://salsa.debian.org/java-team/axis.git Vcs-Browser: https://salsa.debian.org/java-team/axis Homepage: http://ws.apache.org/axis/ ===================================== debian/copyright ===================================== @@ -1,7 +1,7 @@ -Format: http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?revision=202 +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Apache Axis Upstream-Contact: http://ws.apache.org/axis/ -Source: http://www.apache.org/dist/ws/axis/1_4/ +Source: https://www.apache.org/dyn/closer.cgi/ws/axis/1_4 Files: * Copyright: 2006-2008, Apache Foundation ===================================== debian/libaxis-java.docs ===================================== @@ -0,0 +1 @@ +NOTICE ===================================== debian/patches/CVE-2023-40743.patch ===================================== @@ -0,0 +1,32 @@ +From: Markus Koschany <a...@debian.org> +Date: Tue, 17 Oct 2023 00:46:49 +0200 +Subject: CVE-2023-40743 + +Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 +--- + src/org/apache/axis/client/ServiceFactory.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java +index 33054a5..73e89ee 100644 +--- a/src/org/apache/axis/client/ServiceFactory.java ++++ b/src/org/apache/axis/client/ServiceFactory.java +@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + + if (context != null) { + String name = (String)environment.get("jndiName"); ++ ++ if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1) { ++ return null; ++ } + if (name == null) { + name = "axisServiceName"; + } +@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + context.bind(name, service); + } catch (NamingException e1) { + // !!! Couldn't do it, what should we do here? ++ return null; + } + } + } else { ===================================== debian/patches/series ===================================== @@ -8,3 +8,4 @@ javadoc-encoding.patch java9-compatibility.patch java11-compatibility.patch CVE-2018-8032.patch +CVE-2023-40743.patch View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/4e1efc36bb8fb27934fd6a1afb54604ffdc56504...6867c251c70e7b54bd3cda384f972cc6cc134e53 -- View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/4e1efc36bb8fb27934fd6a1afb54604ffdc56504...6867c251c70e7b54bd3cda384f972cc6cc134e53 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list pkg-java-comm...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits