axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert lazarski (JIRA)" <axis-...@ws.apache.org>
Subject [jira] [Comment Edited] (AXIS-2905) Insecure certificate validation CVE-2014-3596
Date Fri, 03 May 2019 15:43:00 GMT

    [ https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832589#comment-16832589
] 

robert lazarski edited comment on AXIS-2905 at 5/3/19 3:42 PM:
---------------------------------------------------------------

Thanks for looking into this ... the file referenced in the patch has not been updated since
2002! Some of it uses internal com.sun classes.

There is a couple of LDAP import in the patch, I couldn't easily figure out a smaller jar
to use so for now this entry into the axis-rt-core pom.xml will do:

         <dependency>
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-all</artifactId>
             <version>2.0.0.AM25</version>
         </dependency>

When compiling on Linux with jdk1.8.0_181 and the latest maven 3.6.1 with -X (debug mode)
I ran into this error, that's as far as I have time on this today, I don't run axis 1.x myself
anymore - I just help maintain it:

[INFO] — animal-sniffer-maven-plugin:1.8:check (default) @ axis-rt-core —
 [INFO] Checking unresolved references to org.codehaus.mojo.signature:java14-sun:1.0
 [INFO] ------------------------------------------------------------------------
 [INFO] BUILD FAILURE
 [INFO] ------------------------------------------------------------------------
 [INFO] Total time: 8.488 s
 [INFO] Finished at: 2019-05-03T05:38:00-10:00
 [INFO] ------------------------------------------------------------------------
 [ERROR] Failed to execute goal org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check (default)
on project axis-rt-core: Execution default of goal org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check
failed: Invalid signature file digest for Manifest main attributes -> [Help 1]

 

 


was (Author: robertlazarski):
Thanks for looking into this ... the file referenced in the patch has not been updated since
2002! Some of it uses internal com.sun classes. 

There is a couple of LDAP import in the patch, I couldn't easily figure out a smaller jar
to use so for now this entry into the axis-rt-core pom.xml will do:

         <dependency>
            <groupId>org.apache.directory.server</groupId>
            <artifactId>apacheds-all</artifactId>
            <version>2.0.0.AM25</version>
        </dependency>

When compiling on Linux with jdk1.8.0_181 and the latest maven 3.6.1 with -X (debug mode)
I ran into this error, that's as far as I have time on this, I don't run axis 1.x myself anymore
- I just help maintain it:

[INFO] --- animal-sniffer-maven-plugin:1.8:check (default) @ axis-rt-core ---
[INFO] Checking unresolved references to org.codehaus.mojo.signature:java14-sun:1.0
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.488 s
[INFO] Finished at: 2019-05-03T05:38:00-10:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check (default)
on project axis-rt-core: Execution default of goal org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check
failed: Invalid signature file digest for Manifest main attributes -> [Help 1]

 

 

> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
>                 Key: AXIS-2905
>                 URL: https://issues.apache.org/jira/browse/AXIS-2905
>             Project: Axis
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: David Jorm
>            Priority: Major
>         Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that
the server hostname matches the domain name in the subject's CN field was flawed. This can
be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate
using a specially crafted subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message