Debian Bug report logs - #697974
axis2c: CVE-2012-6107: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate

Package: axis2c; Maintainer for axis2c is Brian Thomason <brian.thomason@eucalyptus.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 12 Jan 2013 09:12:01 UTC

Severity: grave

Tags: security

Forwarded to https://issues.apache.org/jira/browse/AXIS2C-1619

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Brian Thomason <brian.thomason@eucalyptus.com>:
Bug#697974; Package axis2c. (Sat, 12 Jan 2013 09:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Brian Thomason <brian.thomason@eucalyptus.com>. (Sat, 12 Jan 2013 09:12:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: axis2c: CVE-2012-6107: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate
Date: Sat, 12 Jan 2013 10:08:28 +0100
Package: axis2c
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

the following vulnerability was published for axis2c.

CVE-2012-6107[0]:
Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate

See also upstream bugtracker[1]. Unfortunately patches do not seem to
be available yet.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2012-6107
[1] https://issues.apache.org/jira/browse/AXIS2C-1619

Please adjust the affected versions and severity in the BTS as needed.

Regards,
Salvatore

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ8SgIAAoJEHidbwV/2GP+iCoQAIaUq7mZTY5lWNktMfmAFjCr
FHkyJd8RNOpuXXRZnzW7zxyONubafnmKQ8xxGFq3qZjyK7v3d/VZ8B0zw+NQq6l1
WZqJ+ibk3QCpV+UMjBKHYs4FCbbwxXzYiwP9VFRJORxjjnAJ6uaEBhWex7sEGsU/
DPSSMnisYN9ckwSYLt81BdOerHR9BwZxG7RtxL8ZPx3mtcsnTKlUiDtdcKxp30VN
c7BAGAra57ktYiOhCX1JiyXjIExxMBDio43BTuOts6pGGKlHX7dwLSvL9/g408dD
mYw+ocGRGVg2nLBKzVdKZgYRm7v+4lzzBMbBG0Grh5L4WXOwkQ+nuKeFGt7D1M1t
qk65p7uiBqCEV+Vmj0cgtjSgCI5ZQE9QyArVfrF4Gfq8bz6LA5okhSwizTBi7LdG
rIOYy+pZHiNhsJJkAtKY2u8UrdpTj6BaYsBX3OxVi1Kl5zrp9PRSVeSxMcqefn8E
ppgPk0BoFBBdIRs4CmxRQcgXc9um0NxTee9vhLnYlQN/kiWpcAE2DaKUHmbg8WFe
aXRSa6kWZpEN2NQrywfw9QY3owgQ0cS6ydegZBG4vmZPa4yIZEQatNF1ukTVdi8L
20ZcEZ8kD1LgfoyOkUeLatn8ShbB8g/eglVcAojjQh9I6NPmpfC9cRhYP0+BQnLi
jyXvmJ1BdKRt/z4ul20M
=JE3j
-----END PGP SIGNATURE-----



Set Bug forwarded-to-address to 'https://issues.apache.org/jira/browse/AXIS2C-1619'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 24 Jan 2013 21:45:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brian Thomason <brian.thomason@eucalyptus.com>:
Bug#697974; Package axis2c. (Sun, 27 Jan 2013 12:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Brian Thomason <brian.thomason@eucalyptus.com>. (Sun, 27 Jan 2013 12:36:03 GMT) Full text and rfc822 format available.

Message #12 received at 697974@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 697974@bugs.debian.org
Subject: missing implementation
Date: Sun, 27 Jan 2013 12:32:18 +0000
[Message part 1 (text/plain, inline)]
I've had a quick look into the axis2c codebase, trying to follow
through the calls. I can't see a suitable place where the hostname and
the subject of the X509 certificate can be easily tested. It seems to
me that someone familiar with the axis2c data structures will need to
write new code to make the values accessible and handle the results of
the comparison.

The CVE lacks any defined test mechanism or verification. The lack of
this code would appear to make it possible to implement a classic
man-in-the-middle attack on the communication through axis2c. The bug
itself cannot be reasonably downgraded at this stage, without more
investigation.

The reverse dependencies of axis2c are rampart and eucalyptus.
eucalyptus is not and has not been in Wheezy (it was removed from
unstable and testing, later reintroduced into unstable.)

rampart is allied to axis2c.

I think the only realistic solution to this RC bug in Wheezy is to
remove axis2c and rampart from testing until axis2c can have the
necessary support verified.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:05:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.