axis-1.4-302.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10646-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z axis-1.4-302.6 on GA media These are all security issues fixed in the axis-1.4-302.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10646 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2012-5784/ SUSE CVE CVE-2012-5784 page https://www.suse.com/security/cve/CVE-2014-3596/ SUSE CVE CVE-2014-3596 page https://www.suse.com/security/cve/CVE-2018-8032/ SUSE CVE CVE-2018-8032 page openSUSE Tumbleweed axis-1.4-302.6 axis-manual-1.4-302.6 axis-1.4-302.6 as a component of openSUSE Tumbleweed axis-manual-1.4-302.6 as a component of openSUSE Tumbleweed Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVE-2012-5784 openSUSE Tumbleweed:axis-1.4-302.6 openSUSE Tumbleweed:axis-manual-1.4-302.6 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5784.html CVE-2012-5784 https://bugzilla.suse.com/1134598 SUSE Bug 1134598 The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. CVE-2014-3596 openSUSE Tumbleweed:axis-1.4-302.6 openSUSE Tumbleweed:axis-manual-1.4-302.6 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3596.html CVE-2014-3596 https://bugzilla.suse.com/1134598 SUSE Bug 1134598 Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. CVE-2018-8032 openSUSE Tumbleweed:axis-1.4-302.6 openSUSE Tumbleweed:axis-manual-1.4-302.6 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-8032.html CVE-2018-8032 https://bugzilla.suse.com/1103658 SUSE Bug 1103658