Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Jan 2013 19:47:56 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org, security@...ntu.com
Subject: CVE Request -- Axis2/c

Hello Kurt, Steve, all,

In November, I asked if a CVE had been assigned to Axis2/C for failing
to check hostnames when validating SSL/TLS certificates:
http://www.openwall.com/lists/oss-security/2012/11/07/1
This was part of the fallout from this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

I was not confident enough in my reading of the source code to say that
Axis2/C was vulnerable, so I did not pursue the issue at the time.

Since then, I have re-read the code, emailed three developers privately,
emailed the axis-c-dev mail list, and filed a JIRA bug report. None of
these communications have received any kind of response.

https://issues.apache.org/jira/browse/AXIS2C-1619
http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser

Please assign a CVE for Axis2/C for failing to validate hostnames when
checking SSL certificates.

Thank you

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.