Date: Thu, 10 Jan 2013 19:47:56 -0800 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org, security@...ntu.com Subject: CVE Request -- Axis2/c Hello Kurt, Steve, all, In November, I asked if a CVE had been assigned to Axis2/C for failing to check hostnames when validating SSL/TLS certificates: http://www.openwall.com/lists/oss-security/2012/11/07/1 This was part of the fallout from this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf I was not confident enough in my reading of the source code to say that Axis2/C was vulnerable, so I did not pursue the issue at the time. Since then, I have re-read the code, emailed three developers privately, emailed the axis-c-dev mail list, and filed a JIRA bug report. None of these communications have received any kind of response. https://issues.apache.org/jira/browse/AXIS2C-1619 http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser Please assign a CVE for Axis2/C for failing to validate hostnames when checking SSL certificates. Thank you Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.