[prev in list] [next in list] [prev in thread] [next in thread]
List: rampart-dev
Subject: [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596
From: "David Jorm (JIRA)" <axis-dev () ws ! apache ! org>
Date: 2014-08-19 3:47:18
Message-ID: JIRA.12734908.1408409137356.29594.1408420038318 () arcas
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14101808#comment-14101808 \
]
David Jorm commented on AXIS-2905:
----------------------------------
Please note that the proposed patch should apply cleanly to SVN HEAD. It may not \
apply cleanly if the CVE-2012-5784 patch has already been applied.
> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
> Key: AXIS-2905
> URL: https://issues.apache.org/jira/browse/AXIS-2905
> Project: Axis
> Issue Type: Bug
> Affects Versions: 1.4
> Reporter: David Jorm
> Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check \
> that the server hostname matches the domain name in the subject's CN field was \
> flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the \
> attacker can spoof a valid certificate using a specially crafted subject. For more \
> details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic