In November, I asked if a CVE had been assigned to Axis2/C for failing
to check hostnames when validating SSL/TLS certificates:
This was part of the fallout from this paper:
I was not confident enough in my reading of the source code to say that
Axis2/C was vulnerable, so I did not pursue the issue at the time.
Since then, I have re-read the code, emailed three developers privately,
emailed the axis-c-dev mail list, and filed a JIRA bug report. None of
these communications have received any kind of response.
Please assign a CVE for Axis2/C for failing to validate hostnames when
checking SSL certificates.