axis (1.4-21) unstable; urgency=high
* Team upload.
* Fix CVE-2014-3596.
- Replace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
both CVE issues. Thanks to Raphael Hertzog for the report.
- The getCN function in Apache Axis 1.4 and earlier does not properly
verify that the server hostname matches a domain name in the subject's
Common Name (CN) or subjectAltName field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof SSL servers via a
certificate with a subject that specifies a common name in a field
that is not the CN field. NOTE: this issue exists because of an
incomplete fix for CVE-2012-5784.
- (Closes: #762444)
* Declare compliance with Debian Policy 3.9.6.
* Use compat level 9 and require debhelper >=9.
* Use canonical VCS fields.
-- Markus Koschany <email address hidden> Thu, 25 Sep 2014 19:45:08 +0000