[ https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832374#comment-16832374
]
Levent YILDIZ commented on AXIS-2905:
-------------------------------------
Hi, I have been encountering a problem with axis compiling that contain vulnerabilities patch.
When I download source and run this maven command (mvn clean install -Duser.timezone=UTC+3)
in that time every thing is ok.
But when I apply this vulnerability patch I take "[ERROR] Failed to execute goal org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check
(default) on project axis-rt-core: Signature errors found. Verify them and put @IgnoreJRERequirement
on them. -> [Help 1]".
Also I tried a lot off different maven version and Java version but taken same error.
And also I googled this situation but not found any solution.
Could you please help me?
How can I apply this patch and build?
steps:
{code:java}
$ svn checkout https://svn.apache.org/repos/asf/axis/axis1/java/trunk axis
$ wget https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch .
$ cd axis
$ patch axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java ../CVE-2014-3596.patch
$ mvn clean install -Duser.timezone=UTC
{code}
Tolls and JDK versions
{code:java}
$ mvn -v
{code}
{code:java}
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=1024m; support was removed
in 8.0 Apache Maven 3.0.4 (r1232337; 2012-01-17 10:44:56+0200) Maven home: /Users/levent.yildiz/development/tools/maven-3.0.4
Java version: 1.8.0_171, vendor: Oracle Corporation Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.13.6", arch:
"x86_64", family: "mac"
{code}
{code:java}
$ sw_vers
{code}
{code:java}
ProductName: Mac OS X ProductVersion: 10.13.6 BuildVersion: 17G4015
{code}
{code:java}
$ ant -version
{code}
{code:java}
Apache Ant version 1.5.3 compiled on April 16 2003
{code}
> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
> Key: AXIS-2905
> URL: https://issues.apache.org/jira/browse/AXIS-2905
> Project: Axis
> Issue Type: Bug
> Affects Versions: 1.4
> Reporter: David Jorm
> Priority: Major
> Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that
the server hostname matches the domain name in the subject's CN field was flawed. This can
be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate
using a specially crafted subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
|