Version in base suite: 1.4-28

Base version: axis_1.4-28
Target version: axis_1.4-28+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/axis/axis_1.4-28.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/a/axis/axis_1.4-28+deb12u1.dsc

 changelog                    |   12 ++++++++++++
 patches/CVE-2023-40743.patch |   32 ++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 45 insertions(+)

diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog	2018-12-03 07:25:51.000000000 +0000
+++ axis-1.4/debian/changelog	2023-10-17 12:05:20.000000000 +0000
@@ -1,3 +1,15 @@
+axis (1.4-28+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-40743:
+    When integrating Apache Axis 1.x in an application, it may not have been
+    obvious that looking up a service through "ServiceFactory.getService"
+    allows potentially dangerous lookup mechanisms such as LDAP. When passing
+    untrusted input to this API method, this could expose the application to
+    DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+
+ -- Markus Koschany <apo@debian.org>  Tue, 17 Oct 2023 14:05:20 +0200
+
 axis (1.4-28) unstable; urgency=medium
 
   * Fixed the build failure with Java 11 (Closes: #911187)
diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch axis-1.4/debian/patches/CVE-2023-40743.patch
--- axis-1.4/debian/patches/CVE-2023-40743.patch	1970-01-01 00:00:00.000000000 +0000
+++ axis-1.4/debian/patches/CVE-2023-40743.patch	2023-10-17 12:05:20.000000000 +0000
@@ -0,0 +1,32 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
++++ b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+         
+         if (context != null) {
+             String name = (String)environment.get("jndiName");
++
++	    if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1)  {
++	        return null;
++            }
+             if (name == null) {
+                 name = "axisServiceName";
+             }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+                     context.bind(name, service);
+                 } catch (NamingException e1) {
+                     // !!! Couldn't do it, what should we do here?
++	            return null;
+                 }
+             }
+         } else {
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series	2018-12-02 23:33:50.000000000 +0000
+++ axis-1.4/debian/patches/series	2023-10-17 12:05:20.000000000 +0000
@@ -8,3 +8,4 @@
 java9-compatibility.patch
 java11-compatibility.patch
 CVE-2018-8032.patch
+CVE-2023-40743.patch