Discussion:
[jira] [Created] (AXIS2-5930) CVE issues with dependency jars of axis2
tanishq pruthi (JIRA)
2018-08-30 07:02:00 UTC
Permalink
tanishq pruthi created AXIS2-5930:
-------------------------------------

Summary: CVE issues with dependency jars of axis2
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi


The dependent jars in axis 2 package are not updated to latest version

Due to which, some of the jars contains vulnerabilities . Some of them are below

[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]

[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]

[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org
tanishq pruthi (JIRA)
2018-08-30 07:04:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/AXIS2-5930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

tanishq pruthi updated AXIS2-5930:
----------------------------------
Description:
The dependent jars in axis 2 package are not updated to latest version

Due to which, some of the jars contains vulnerabilities . Some of them are below

[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]

[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]

[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]

 Dependency check tool is giving the following CVE in these jar

*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*

*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 

was:
The dependent jars in axis 2 package are not updated to latest version

Due to which, some of the jars contains vulnerabilities . Some of them are below

[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]

[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]

[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]

 
Post by tanishq pruthi (JIRA)
CVE issues with dependency jars of axis2
----------------------------------------
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi
Priority: Major
The dependent jars in axis 2 package are not updated to latest version
Due to which, some of the jars contains vulnerabilities . Some of them are below
[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]
[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]
[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]
 Dependency check tool is giving the following CVE in these jar
*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*
*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org
Andreas Veithen (JIRA)
2018-09-01 12:21:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/AXIS2-5930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andreas Veithen resolved AXIS2-5930.
------------------------------------
Resolution: Fixed
Fix Version/s: 1.7.9
Post by tanishq pruthi (JIRA)
CVE issues with dependency jars of axis2
----------------------------------------
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi
Priority: Major
Fix For: 1.7.9
The dependent jars in axis 2 package are not updated to latest version
Due to which, some of the jars contains vulnerabilities . Some of them are below
[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]
[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]
[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]
 Dependency check tool is giving the following CVE in these jar
*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*
*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org
Andreas Veithen (JIRA)
2018-09-01 12:21:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/AXIS2-5930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16599624#comment-16599624 ]

Andreas Veithen commented on AXIS2-5930:
----------------------------------------

CVE-2012-5351 and CVE-2012-4418 are related to SAML which would affect Rampart, not Axis2 itself. Probably the tool incorrectly links them to mex and axis2-kernel. Regarding the Tribes vulnerability, that dependency was updated in r1837509.
Post by tanishq pruthi (JIRA)
CVE issues with dependency jars of axis2
----------------------------------------
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi
Priority: Major
Fix For: 1.7.9
The dependent jars in axis 2 package are not updated to latest version
Due to which, some of the jars contains vulnerabilities . Some of them are below
[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]
[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]
[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]
 Dependency check tool is giving the following CVE in these jar
*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*
*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org
tanishq pruthi (JIRA)
2018-09-06 04:07:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/AXIS2-5930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605228#comment-16605228 ]

tanishq pruthi commented on AXIS2-5930:
---------------------------------------

So, will this be avaialble in axis 1.7.9, because axis 1.7.8 still contains tribes 6.0.16
Post by tanishq pruthi (JIRA)
CVE issues with dependency jars of axis2
----------------------------------------
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi
Priority: Major
Fix For: 1.7.9
The dependent jars in axis 2 package are not updated to latest version
Due to which, some of the jars contains vulnerabilities . Some of them are below
[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]
[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]
[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]
 Dependency check tool is giving the following CVE in these jar
*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*
*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org
Andreas Veithen (JIRA)
2018-09-08 20:23:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/AXIS2-5930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608194#comment-16608194 ]

Andreas Veithen commented on AXIS2-5930:
----------------------------------------

Yes (as indicated by the "Fix Version" field of this ticket).
Post by tanishq pruthi (JIRA)
CVE issues with dependency jars of axis2
----------------------------------------
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi
Priority: Major
Fix For: 1.7.9
The dependent jars in axis 2 package are not updated to latest version
Due to which, some of the jars contains vulnerabilities . Some of them are below
[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]
[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]
[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]
 Dependency check tool is giving the following CVE in these jar
*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*
*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org
Raghavi (JIRA)
2018-11-09 10:54:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/AXIS2-5930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16681250#comment-16681250 ]

Raghavi commented on AXIS2-5930:
--------------------------------

Hi,

 

Could you please give the information about by when the Apache Axis2 1.7.9 will be released ??

 

Thanks and Regards,

Raghavi G. Kamat
Post by tanishq pruthi (JIRA)
CVE issues with dependency jars of axis2
----------------------------------------
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi
Priority: Major
Fix For: 1.7.9
The dependent jars in axis 2 package are not updated to latest version
Due to which, some of the jars contains vulnerabilities . Some of them are below
[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]
[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]
[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]
 Dependency check tool is giving the following CVE in these jar
*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*
*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org
Andreas Veithen (JIRA)
2018-11-16 20:32:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/AXIS2-5930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16689972#comment-16689972 ]

Andreas Veithen commented on AXIS2-5930:
----------------------------------------

The release process for 1.7.9 has been started; see https://markmail.org/thread/2vfy7b6gswxln6sk.
Post by tanishq pruthi (JIRA)
CVE issues with dependency jars of axis2
----------------------------------------
Key: AXIS2-5930
URL: https://issues.apache.org/jira/browse/AXIS2-5930
Project: Axis2
Issue Type: Bug
Affects Versions: 1.7.8
Reporter: tanishq pruthi
Priority: Major
Fix For: 1.7.9
The dependent jars in axis 2 package are not updated to latest version
Due to which, some of the jars contains vulnerabilities . Some of them are below
[mex-1.7.6-impl.jar|#l203_99ee5f563d035e3904894ea89c4550bb71ddf34b]
[axis2-kernel-1.7.6.jar|#l245_aa2e05c5dc080f7089072d17acfb9b1a50d8bda9]
[tribes-6.0.16.jar|#l321_50b300ff415ef0cf3af4f14ec03131cdcb019efa]
 Dependency check tool is giving the following CVE in these jar
*[CVE-2012-5351|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5351]*
*[CVE-2012-4418|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4418]* ** 
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-***@axis.apache.org
For additional commands, e-mail: java-dev-***@axis.apache.org

Loading...