Hi, On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler <b...@beuc.net> wrote: > Package: axis > X-Debbugs-CC: t...@security.debian.org > Tags: security > > Hi, > > The following vulnerability was published for axis. > > CVE-2019-0227[0]: > | A Server Side Request Forgery (SSRF) vulnerability affected the Apache > | Axis 1.4 distribution that was last released in 2006. Security and bug > | commits commits continue in the projects Axis 1.x Subversion > | repository, legacy users are encouraged to build from source. The > | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not > | vulnerable to this issue. > > The vulnerable 'StockQuoteService.jws' is not present in Debian binary > packages, however a SSRF mitigation was also committed [1].
I believe the SSRF mitigation should be viewed in the context of the vulnerable StockQuoteService.jws file. Since we don't ship this file in our binary packages, I think it is correct to mark the issue as unimportant. However I agree it is sensible to change uconn.setInstanceFollowRedirects(true) to uconn.setInstanceFollowRedirects(false). I don't think it is likely that this issue is somehow exploited when using our Debian package. We use axis mainly as a build-dependency for other packages. We could change the default for uconn.setInstanceFollowRedirects in Buster but keep it this way in Jessie and Stretch. It is nice to know that there is ongoing work on axis1. I think we could update this package after the freeze and track the new upstream development at https://github.com/apache/axis1-java/ Regards, Markus
signature.asc
Description: OpenPGP digital signature
