Security update for axis SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:1373-1 Final 1 1 2019-05-28T15:00:13Z current 2019-05-28T15:00:13Z 2019-05-28T15:00:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for axis This update for axis fixes the following issues: Security issue fixed: - CVE-2012-5784, CVE-2014-3596: Fixed missing connection hostname check against X.509 certificate name (bsc#1134598). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-1373,SUSE-SLE-Module-Basesystem-15-2019-1373,SUSE-SLE-Module-Development-Tools-OBS-15-2019-1373 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20191373-1/ Link for SUSE-SU-2019:1373-1 https://lists.suse.com/pipermail/sle-security-updates/2019-May/005514.html E-Mail link for SUSE-SU-2019:1373-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1134598 SUSE Bug 1134598 https://www.suse.com/security/cve/CVE-2012-5784/ SUSE CVE CVE-2012-5784 page https://www.suse.com/security/cve/CVE-2014-3596/ SUSE CVE CVE-2014-3596 page SUSE Linux Enterprise Module for Basesystem 15 axis-1.4-5.8.1 axis-manual-1.4-5.8.1 axis-1.4-5.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVE-2012-5784 SUSE Linux Enterprise Module for Basesystem 15:axis-1.4-5.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191373-1/ https://www.suse.com/security/cve/CVE-2012-5784.html CVE-2012-5784 https://bugzilla.suse.com/1134598 SUSE Bug 1134598 The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. CVE-2014-3596 SUSE Linux Enterprise Module for Basesystem 15:axis-1.4-5.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191373-1/ https://www.suse.com/security/cve/CVE-2014-3596.html CVE-2014-3596 https://bugzilla.suse.com/1134598 SUSE Bug 1134598