Home page logo

oss-sec logo oss-sec mailing list archives

CVE Request -- Axis2/c
From: Seth Arnold <seth.arnold () canonical com>
Date: Thu, 10 Jan 2013 19:47:56 -0800

Hello Kurt, Steve, all,

In November, I asked if a CVE had been assigned to Axis2/C for failing
to check hostnames when validating SSL/TLS certificates:
This was part of the fallout from this paper:

I was not confident enough in my reading of the source code to say that
Axis2/C was vulnerable, so I did not pursue the issue at the time.

Since then, I have re-read the code, emailed three developers privately,
emailed the axis-c-dev mail list, and filed a JIRA bug report. None of
these communications have received any kind of response.


Please assign a CVE for Axis2/C for failing to validate hostnames when
checking SSL certificates.

Thank you

Attachment: signature.asc
Description: Digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]