I've created a maven distribution for people to test here:
http://people.apache.org/~coheigea/stage/xmlsec/1.4.3beta1/maven/org/apa
che/santuario/xmlsec/1.4.3beta1/
I've tested this artifact with WSS4J, CXF and Rampart and all is well.
Just add the following to your pom to pick it up:
<repositories>
<repository>
<id>coheigea</id>
<url>http://people.apache.org/~coheigea/stage/xmlsec/1.4.3beta1/maven/</
url>
<snapshots>
<enabled>true</enabled>
</snapshots>
<releases>
<enabled>true</enabled>
</releases>
</repository>
</repositories>
And obviously update your xml security version to 1.4.3beta1.
Note that the jar itself is the same jar generated by Sean...it is NOT
generated with maven, and so the resulting jar is not an OSGi bundle,
even though the pom contains the relevant plugin information to generate
an OSGi bundle. This is something we can look at for the next release I
guess.
Colm.
-----Original Message-----
From: sean.mul...@sun.com [mailto:sean.mul...@sun.com]
Sent: 15 July 2009 20:14
To: security-dev@xml.apache.org
Subject: Re: DO NOT REPLY [Bug 47526] New: XML signature HMAC truncation
authentication bypass
1.4.3beta1 binary and source distributions (and ASCII-encoded PGP
signatures)
are now available at:
http://people.apache.org/~mullan/dist/
Signatures can be verified using the Keys in
http://santuario.apache.org/dist/KEYS
Please let us know ASAP if you find any problems and thanks in advance
for
testing! If no issues are found by Friday, this will become the release
candidate for 1.4.3.
Thanks,
Sean
Sean Mullan wrote:
> Hi all,
>
> I have just putback a fix for this vulnerability to the source code
> repository. This patch will be included in the (Java) version 1.4.3
> release. Because of the potential severity of this issue, we are
> planning an expedited release process for 1.4.3. I plan to make
> available a jar for testing later today and a more complete release
> candidate binary tomorrow. If no issues are found then we will call
for
> a vote later this week and work towards making a final version
available
> early next week.
>
> Thanks,
> Sean
>
> bugzi...@apache.org wrote:
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
>>
>> Summary: XML signature HMAC truncation authentication
bypass
>> Product: Security
>> Version: Java 1.4.2
>> Platform: All
>> OS/Version: All
>> Status: NEW
>> Severity: critical
>> Priority: P1
>> Component: Signature
>> AssignedTo: security-dev@xml.apache.org
>> ReportedBy: sean.mul...@sun.com
>>
>>
>> Apache XML Security (Java) is affected by the vulnerability published
in
>> US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for
more
>> information. This bug can allow an attacker to bypass authentication
by
>> inserting/modifying a small HMAC truncation length parameter in the
XML
>> Signature HMAC based SignatureMethod algorithms.
>>
>
