I've had a quick look into the axis2c codebase, trying to follow through the calls. I can't see a suitable place where the hostname and the subject of the X509 certificate can be easily tested. It seems to me that someone familiar with the axis2c data structures will need to write new code to make the values accessible and handle the results of the comparison.
The CVE lacks any defined test mechanism or verification. The lack of this code would appear to make it possible to implement a classic man-in-the-middle attack on the communication through axis2c. The bug itself cannot be reasonably downgraded at this stage, without more investigation. The reverse dependencies of axis2c are rampart and eucalyptus. eucalyptus is not and has not been in Wheezy (it was removed from unstable and testing, later reintroduced into unstable.) rampart is allied to axis2c. I think the only realistic solution to this RC bug in Wheezy is to remove axis2c and rampart from testing until axis2c can have the necessary support verified. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgpalyCYp7J1U.pgp
Description: PGP signature
