Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 11 Jan 2013 01:03:36 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, coley@...us.mitre.org,
        security@...ntu.com
Subject: Re: CVE Request -- Axis2/c

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/10/2013 08:47 PM, Seth Arnold wrote:
> Hello Kurt, Steve, all,
> 
> In November, I asked if a CVE had been assigned to Axis2/C for
> failing to check hostnames when validating SSL/TLS certificates: 
> http://www.openwall.com/lists/oss-security/2012/11/07/1 This was
> part of the fallout from this paper: 
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
> 
> I was not confident enough in my reading of the source code to say
> that Axis2/C was vulnerable, so I did not pursue the issue at the
> time.
> 
> Since then, I have re-read the code, emailed three developers
> privately, emailed the axis-c-dev mail list, and filed a JIRA bug
> report. None of these communications have received any kind of
> response.
> 
> https://issues.apache.org/jira/browse/AXIS2C-1619 
> http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser
>
>  Please assign a CVE for Axis2/C for failing to validate hostnames
> when checking SSL certificates.
> 
> Thank you
> 

Please use CVE-2012-6107 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ78dYAAoJEBYNRVNeJnmTaeEQAKDZY/mbWcZxRV1QEPXJcYuF
h0Z/Fjr2TqJOL4kia9zLufQZGB93zmaND0QJzJOZmnah0W3MBx24U0+alOrmZE9R
zy29hvt72epTZi8AeYd0IsF4ZfGslBN6mIcNjZ5unw4SyoFB3T9Io65BAFHf9+8e
+Ay0Ajch+Qw75/EwyiQt48In0a9XAaaP6+ZD//TqJxQHvHX0zvgTuSMz16d870MD
XyyfY/WdeJdrMojZUFysJKo1Yc9lW5a0e8fmGtlnZEq4mKPsgue2pfBc+UyUm1TN
M3hiOuipzipJm8lAiYse7+OG3hrDxrHqGf1+hlZhg6gX49zyp5s7RvOLqNSgMPJw
YhFf0XUwOoQJLARw1RDNqHYTELz8iKK6HwszBVmb7Z6W67QGUZkzLpXPh8kDQYAs
aIg9oIdOr6A3tla6LomXKbbLdr25G5/3HzQcjX5MWHhCi6HkBKK3KSOCStuG5Zxy
636mgvt8mkBSI6GkNRq1qnTTMmOit16Jhf65DtoHZjJoLh5mbBcGIU2ARQIqUhGW
e8CFLqbs8VgGYzybCjiPPDKxh6GNu85sRSKdLMsmrPTraatHW33vUPVJL8rEG4GT
5rT0xD4/oyrtYP2xeZd3NPNbAS8GhYTp8fSYXao9+RTHjJScrM0xgwRzf63CSP9C
xs+WPycu1KzXx5XEC79a
=iK3V
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.