Security update for axis SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1497-1 Final 1 1 2019-06-03T05:49:35Z current 2019-06-03T05:49:35Z 2019-06-03T05:49:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for axis This update for axis fixes the following issues: Security issue fixed: - CVE-2012-5784, CVE-2014-3596: Fixed missing connection hostname check against X.509 certificate name (bsc#1134598). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1497 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NIAMULYG5N26EYEDOKOQ7IOJ2QNZHEZV/#NIAMULYG5N26EYEDOKOQ7IOJ2QNZHEZV E-Mail link for openSUSE-SU-2019:1497-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1134598 SUSE Bug 1134598 https://www.suse.com/security/cve/CVE-2012-5784/ SUSE CVE CVE-2012-5784 page https://www.suse.com/security/cve/CVE-2014-3596/ SUSE CVE CVE-2014-3596 page openSUSE Leap 15.0 axis-1.4-lp150.9.1 axis-manual-1.4-lp150.9.1 axis-1.4-lp150.9.1 as a component of openSUSE Leap 15.0 axis-manual-1.4-lp150.9.1 as a component of openSUSE Leap 15.0 Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVE-2012-5784 openSUSE Leap 15.0:axis-1.4-lp150.9.1 openSUSE Leap 15.0:axis-manual-1.4-lp150.9.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NIAMULYG5N26EYEDOKOQ7IOJ2QNZHEZV/#NIAMULYG5N26EYEDOKOQ7IOJ2QNZHEZV https://www.suse.com/security/cve/CVE-2012-5784.html CVE-2012-5784 https://bugzilla.suse.com/1134598 SUSE Bug 1134598 The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. CVE-2014-3596 openSUSE Leap 15.0:axis-1.4-lp150.9.1 openSUSE Leap 15.0:axis-manual-1.4-lp150.9.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NIAMULYG5N26EYEDOKOQ7IOJ2QNZHEZV/#NIAMULYG5N26EYEDOKOQ7IOJ2QNZHEZV https://www.suse.com/security/cve/CVE-2014-3596.html CVE-2014-3596 https://bugzilla.suse.com/1134598 SUSE Bug 1134598