Hi all,
I have just putback a fix for this vulnerability to the source code repository.
This patch will be included in the (Java) version 1.4.3 release. Because of the
potential severity of this issue, we are planning an expedited release process
for 1.4.3. I plan to make available a jar for testing later today and a more
complete release candidate binary tomorrow. If no issues are found then we will
call for a vote later this week and work towards making a final version
available early next week.
Thanks,
Sean
bugzi...@apache.org wrote:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: Java 1.4.2
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P1
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: sean.mul...@sun.com
Apache XML Security (Java) is affected by the vulnerability published in
US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more
information. This bug can allow an attacker to bypass authentication by
inserting/modifying a small HMAC truncation length parameter in the XML
Signature HMAC based SignatureMethod algorithms.
