[jira] [Commented] (CXF-5565) update to opensaml 2.6.1

Colm O hEigeartaigh (JIRA) Tue, 18 Feb 2014 01:58:27 -0800

    [ 
https://issues.apache.org/jira/browse/CXF-5565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13903912#comment-13903912
 ]


Colm O hEigeartaigh commented on CXF-5565:
------------------------------------------


FYI we don't actually use the decryption capabilities of Opensaml anywhere in 
CXF that I'm aware of. Also, WSS4J sets up Opensaml in a way to avoid this kind 
of attack already - (initializeParserPool method):

http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/saml/ext/OpenSAMLBootstrap.java?view=markup

Colm.

> update to opensaml 2.6.1
> ------------------------
>
>                 Key: CXF-5565
>                 URL: https://issues.apache.org/jira/browse/CXF-5565
>             Project: CXF
>          Issue Type: Task
>            Reporter: Jonathan Anstey
>         Attachments: CXF-5565.patch
>
>
> Fixes CVE-2013-6440. Waiting for SMX bundles release to complete first though.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

[jira] [Commented] (CXF-5565) update to opensaml 2.6.1

Reply via email to