Security update for axis SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1526-1 Final 1 1 2019-06-07T15:12:10Z current 2019-06-07T15:12:10Z 2019-06-07T15:12:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for axis This update for axis fixes the following issues: Security issue fixed: - CVE-2012-5784, CVE-2014-3596: Fixed missing connection hostname check against X.509 certificate name (bsc#1134598). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html E-Mail link for openSUSE-SU-2019:1526-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 axis-1.4-300.1 axis-javadoc-1.4-300.1 axis-manual-1.4-300.1 axis-1.4-300.1 as a component of openSUSE Leap 42.3 axis-javadoc-1.4-300.1 as a component of openSUSE Leap 42.3 axis-manual-1.4-300.1 as a component of openSUSE Leap 42.3 Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVE-2012-5784 openSUSE Leap 42.3:axis-1.4-300.1 openSUSE Leap 42.3:axis-javadoc-1.4-300.1 openSUSE Leap 42.3:axis-manual-1.4-300.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html https://www.suse.com/security/cve/CVE-2012-5784.html CVE-2012-5784 https://bugzilla.suse.com/1134598 SUSE Bug 1134598 The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. CVE-2014-3596 openSUSE Leap 42.3:axis-1.4-300.1 openSUSE Leap 42.3:axis-javadoc-1.4-300.1 openSUSE Leap 42.3:axis-manual-1.4-300.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html https://www.suse.com/security/cve/CVE-2014-3596.html CVE-2014-3596 https://bugzilla.suse.com/1134598 SUSE Bug 1134598