mailing list archives
CVE Request -- Axis2/c
From: Seth Arnold <seth.arnold () canonical com>
Date: Thu, 10 Jan 2013 19:47:56 -0800
Hello Kurt, Steve, all,
In November, I asked if a CVE had been assigned to Axis2/C for failing
to check hostnames when validating SSL/TLS certificates:
This was part of the fallout from this paper:
I was not confident enough in my reading of the source code to say that
Axis2/C was vulnerable, so I did not pursue the issue at the time.
Since then, I have re-read the code, emailed three developers privately,
emailed the axis-c-dev mail list, and filed a JIRA bug report. None of
these communications have received any kind of response.
Please assign a CVE for Axis2/C for failing to validate hostnames when
checking SSL certificates.
Description: Digital signature
- CVE Request -- Axis2/c Seth Arnold (Jan 11)