blob: 9d1d5658882f22b0bffa3e8964a25a7c98316a10 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<p>A vulnerability was fixed in axis, a SOAP implementation in Java:</p>
<p>The getCN function in Apache Axis 1.4 and earlier does not properly verify
that the server hostname matches a domain name in the subject's Common Name
(CN) or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof SSL servers via a certificate with a
subject that specifies a common name in a field that is not the CN field.</p>
<p>Thanks to Markus Koschany for providing the fixed package and David Jorm
and Arun Neelicattu (Red Hat Product Security) for providing the patch.</p>
<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in axis version 1.4-12+deb6u1</p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2015/dla-169.data"
# $Id$
|