Date: Wed, 12 Sep 2012 02:06:32 -0400 (EDT) From: David Jorm <djorm@...hat.com> To: "oss-security " <oss-security@...ts.openwall.com> Subject: CVE Request: Apache Axis2 XML Signature Wrapping Attack Juraj Somorovsky and colleagues have described an XML Signature Wrapping (XSW) attack against a variety of platforms in a paper delivered at USENIX . Various platforms are covered, including OpenSAML and Apache Axis2. OpenSAML is covered by CVE-2011-1411 , but I can't find a CVE ID for Axis2. Could one please be assigned? The OpenSAML CVE ID is 2011 because some vendors were given pre-notification of the issue in 2011. Since all the details were made public in 2012, I suggest assigning a 2012 CVE ID for Axis2. Thanks -- David Jorm / Red Hat Security Response Team  http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ