Candidate: CVE-2014-3596
PublicDate: 2014-08-27 00:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596
 https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch
Description:
 The getCN function in Apache Axis 1.4 and earlier does not properly verify
 that the server hostname matches a domain name in the subject's Common Name
 (CN) or subjectAltName field of the X.509 certificate, which allows
 man-in-the-middle attackers to spoof SSL servers via a certificate with a
 subject that specifies a common name in a field that is not the CN field.
 NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Ubuntu-Description:
Notes:
 jdstrand> fix for CVE-2012-5784 not applied to 12.04 LTS
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692650
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_axis:
upstream_axis: released (1.4-16.2)
lucid_axis: ignored (reached end-of-life)
precise_axis: not-affected
trusty_axis: not-affected (1.4-20ubuntu3)
trusty/esm_axis: DNE (trusty was not-affected [1.4-20ubuntu3])
devel_axis: not-affected