Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE Request -- Axis2/c
From: Seth Arnold <seth.arnold () canonical com>
Date: Thu, 10 Jan 2013 19:47:56 -0800

Hello Kurt, Steve, all,

In November, I asked if a CVE had been assigned to Axis2/C for failing
to check hostnames when validating SSL/TLS certificates:
http://www.openwall.com/lists/oss-security/2012/11/07/1
This was part of the fallout from this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

I was not confident enough in my reading of the source code to say that
Axis2/C was vulnerable, so I did not pursue the issue at the time.

Since then, I have re-read the code, emailed three developers privately,
emailed the axis-c-dev mail list, and filed a JIRA bug report. None of
these communications have received any kind of response.

https://issues.apache.org/jira/browse/AXIS2C-1619
http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser

Please assign a CVE for Axis2/C for failing to validate hostnames when
checking SSL certificates.

Thank you

Attachment: signature.asc
Description: Digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]