Change logs for axis source package in Vivid

  • axis (1.4-22) unstable; urgency=medium
    
    
      * Updated the dependency on the Servlet API (3.0 -> 3.1)
      * libaxis-java no longer depends on the Servlet API since it's always
        provided by the web container executing Axis.
      * Replaced the dependency on libgnumail-java with libmail-java
    
     -- Emmanuel Bourg <email address hidden>  Fri, 17 Oct 2014 13:23:45 +0200
  • axis (1.4-21) unstable; urgency=high
    
    
      * Team upload.
      * Fix CVE-2014-3596.
        - Replace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
          both CVE issues. Thanks to Raphael Hertzog for the report.
        - The getCN function in Apache Axis 1.4 and earlier does not properly
          verify that the server hostname matches a domain name in the subject's
          Common Name (CN) or subjectAltName field of the X.509 certificate,
          which allows man-in-the-middle attackers to spoof SSL servers via a
          certificate with a subject that specifies a common name in a field
          that is not the CN field.  NOTE: this issue exists because of an
          incomplete fix for CVE-2012-5784.
        - (Closes: #762444)
      * Declare compliance with Debian Policy 3.9.6.
      * Use compat level 9 and require debhelper >=9.
      * Use canonical VCS fields.
    
     -- Markus Koschany <email address hidden>  Thu, 25 Sep 2014 19:45:08 +0000