https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
Scott Cantor canto...@osu.edu changed:
What|Removed |Added
Status|RESOLVED|CLOSED
--
making a final version available
early next week.
Thanks,
Sean
bugzi...@apache.org wrote:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: Java 1.4.2
Platform
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: Java 1.4.2
Platform: All
OS/Version: All
Status: NEW
Severity: critical
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
sean.mul...@sun.com changed:
What|Removed |Added
Status|NEW |RESOLVED
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: C++ 1.5.0
Platform: All
URL: http://www.kb.cert.org/vuls/id/466161
OS/Version: All
/show_bug.cgi?id=47526
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: Java 1.4.2
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P1
Component: Signature
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
Scott Cantor canto...@osu.edu changed:
What|Removed |Added
Status|NEW |RESOLVED
Sean Mullan wrote on 2009-07-14:
I have just putback a fix for this vulnerability to the source code
repository. This patch will be included in the (Java) version 1.4.3
release. Because of the potential severity of this issue, we are
planning an expedited release process for 1.4.3. I plan to
A jar is now available for testing:
http://people.apache.org/~mullan/dist/xmlsec-1.4.3beta1.jar
Here is a complete list of what bugs have been fixed:
Fixed Bug 47526: XML signature HMAC truncation authentication bypass
Fixed Bug 47525: Fix checkstyle problems with source and tests
need to do:
1. Crate an XML file, prepare the signature element including digest value
and save it to a file
2. a second application will read the file, find the hash and sign this hash
with a HMAC key and plase the result in the ds:SignatureValue
3. other application verify the signature
Problems i
/show_bug.cgi?id=38604
Summary: HMAC signature verification leaks with OpenSSL
Product: Security
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: C++ Signature
Hi,
I'm signing an xml document using hmac-sha1. I was just wondering what do peoplenormally fill in for the keyinfo element? I assume that you don't incorporate thiskeyinfo element into the document because you can't/shouldn't storethe secret in it. Or is there someway to incorporate
that useHMAC == false, but here is how
SignatureMethod was defined:
ds:SignatureMethod
Algorithm=*http://www.w3.org/2000/09/xmldsig#hmac-sha1*; /
Anyone have any idea why?
Thank you,
Milan
13 matches
Mail list logo