Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-0227: wrong link #1

Closed
Beuc opened this issue Apr 13, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@Beuc
Copy link

commented Apr 13, 2019

Hi,

I'm checking this Axis vulnerability as part of the Debian LTS team.

In your disclosure you mention a SSRF patch from Apache, but the link points to an old 2017 binary Jenkins build of Axis.
In addition all the upstream dev/SVN links for Axis appear to be broken nowadays.

Is the SSRF patch referenced under this CVE?
Do you have a patch URL?

@DaveYesland

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2019

Hi,

I'm checking this Axis vulnerability as part of the Debian LTS team.

In your disclosure you mention a SSRF patch from Apache, but the link points to an old 2017 binary Jenkins build of Axis.
In addition all the upstream dev/SVN links for Axis appear to be broken nowadays.

Is the SSRF patch referenced under this CVE?
Do you have a patch URL?

Yup that was a mistake we are getting that fixed. Here is the maintained version. https://travis-ci.org/apache/axis1-java

@Beuc

This comment has been minimized.

Copy link
Author

commented Apr 17, 2019

This new link points to the latest build, testing an unrelated pull request.
Can you link the actual SSRF mitigation patch?

@DaveYesland

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2019

SSRF mitigation by not following redirects: apache/axis1-java@35511b8

Removing sample .jws files from war: apache/axis1-java@7043f1a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.