axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Levent YILDIZ (JIRA)" <>
Subject [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596
Date Fri, 03 May 2019 09:02:00 GMT


Levent YILDIZ commented on AXIS-2905:

Hi, I have been encountering a problem with axis compiling that contain vulnerabilities patch.

When I download source and run this maven command (mvn clean install -Duser.timezone=UTC+3)
in that time every thing is ok.
But when I apply this vulnerability patch I take "[ERROR] Failed to execute goal org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check
(default) on project axis-rt-core: Signature errors found. Verify them and put @IgnoreJRERequirement
on them. -> [Help 1]".

Also I tried a lot off different maven version and Java version but taken same error. 
And also I googled this situation but not found any solution. 
Could you please help me? 
How can I apply this patch and build?

$ svn checkout axis
$ wget .
$ cd axis
$ patch axis-rt-core/src/main/java/org/apache/axis/components/net/ ../CVE-2014-3596.patch
$ mvn clean install -Duser.timezone=UTC
Tolls and JDK versions
$ mvn -v
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=1024m; support was removed
in 8.0 Apache Maven 3.0.4 (r1232337; 2012-01-17 10:44:56+0200) Maven home: /Users/levent.yildiz/development/tools/maven-3.0.4
Java version: 1.8.0_171, vendor: Oracle Corporation Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.13.6", arch:
"x86_64", family: "mac"
$ sw_vers
 ProductName:    Mac OS X ProductVersion:    10.13.6 BuildVersion:    17G4015
$ ant -version
Apache Ant version 1.5.3 compiled on April 16 2003

> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>                 Key: AXIS-2905
>                 URL:
>             Project: Axis
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: David Jorm
>            Priority: Major
>         Attachments: CVE-2014-3596.patch
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that
the server hostname matches the domain name in the subject's CN field was flawed. This can
be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate
using a specially crafted subject.
> For more details, see:

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message