Hi, This bug was raised 2 and a bit years ago and would seem quite important at first glance, but there has been no activity. Would someone be able to confirm whether it is as important as it sounds and whether a patch is available or even where the check mentioned is located?
This is the description: There's a bug in the Signature load routine that relates to a commented out check that was failing the load when unknown content appeared at the end of a Signature element. The code was unwisely changed to permit "non-conformant signatures", which is an absolutely indefensible decision. This is how you get security bugs. Non-conformant signatures can go right to hell. Adding an option to control this behavior is the absolute minimum we should do, but the default should be strict, and the rest of the load methods should be reviewed for any similar permissiveness. Many thanks, Graham This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
