A jar is now available for testing:
http://people.apache.org/~mullan/dist/xmlsec-1.4.3beta1.jar
Here is a complete list of what bugs have been fixed:
Fixed Bug 47526: XML signature HMAC truncation authentication bypass
Fixed Bug 47525: Fix checkstyle problems with source and tests.
Fixed Bug 42239: ECDSA signature value interopability patch.
Fixed Bug 45744: XPath transform and xml-stylesheet.
Fixed Bug 42986: The </#document> node inserted at the end of SOAPEnvelope.
Fixed Bug 47029: Unnecessary namespace declarations on EncryptedData childre
n.
Fixed Bug 44335: Can't validate after invalid validation.
Fixed Bug 47260: Improve Java unit testing.
Fixed Bug 47265: Some website updates.
Fixed Bug 45388: We need a POM file added to the Maven repository.
Fixed Bug 47483: Remove JDK 1.5 API dependencies
Fixed bug 47057: Downgrade signature verification logging from "info". Thank
s to Colm O hEigeartaigh.
Fixed bug 42061: Method to disable XMLUtils.addReturnToElement (reopened): c
hanged Base64 code to ignore line breaks, if enabled. Thanks to Colm O hEigearta
igh.
Fixed bug 47097: Reusing XMLSignature for signing and verifying fails on sam
e thread. Thanks to Bruno Harbulot.
Fixed bug 46732: Failed to add more than one child element to EncryptionMeth
od.
Fixed bug 46101: org.apache.xml.security.utils.IdResolver is not thread safe
Fixed bug 45961: verify with own canonicalization method. Thanks to Anton Ko
syakov.
Fixed bug 45475: XMLSignature::getKeyInfo method modifies document
Fixed bug 45811: Fix XMLSec 1.4.2 problems reported by findbugs
Fixed bug 45706: Transform.register class loading and recursive instantiatio
n problems
Fixed bug 45664: Some calls should be wrapped in AccessController.doPrivileg
ed
Fixed bug 45634: Restore XMLUtils.createDSctx method.
Fixed bug 45095: log4j.properties in xmlsec sources and builds has side
effects in production environment. Thanks to Joachim Rousseau.
Sean Mullan wrote:
Hi all,
I have just putback a fix for this vulnerability to the source code
repository. This patch will be included in the (Java) version 1.4.3
release. Because of the potential severity of this issue, we are
planning an expedited release process for 1.4.3. I plan to make
available a jar for testing later today and a more complete release
candidate binary tomorrow. If no issues are found then we will call for
a vote later this week and work towards making a final version available
early next week.
Thanks,
Sean
bugzi...@apache.org wrote:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: Java 1.4.2
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P1
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: sean.mul...@sun.com
Apache XML Security (Java) is affected by the vulnerability published in
US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more
information. This bug can allow an attacker to bypass authentication by
inserting/modifying a small HMAC truncation length parameter in the XML
Signature HMAC based SignatureMethod algorithms.
