Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Sep 2012 19:08:02 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: David Jorm <djorm@...hat.com>
Subject: Re: CVE Request: Apache Axis2 XML Signature Wrapping
 Attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 12:06 AM, David Jorm wrote:
> Juraj Somorovsky and colleagues have described an XML Signature
> Wrapping (XSW) attack against a variety of platforms in a paper
> delivered at USENIX [0]. Various platforms are covered, including
> OpenSAML and Apache Axis2. OpenSAML is covered by CVE-2011-1411
> [1], but I can't find a CVE ID for Axis2. Could one please be
> assigned? The OpenSAML CVE ID is 2011 because some vendors were
> given pre-notification of the issue in 2011. Since all the details
> were made public in 2012, I suggest assigning a 2012 CVE ID for
> Axis2.
> 
> Thanks
> 

Please use CVE-2012-4418 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUTHxAAoJEBYNRVNeJnmTNaoP/05HX0wLhIocgY3zCbgf8DY0
gb4ZOiucjWY5/GYKSbSEd1vLL8XUVQQGyVlkqpxfmrVgcBFqVf7WWurPUbh9bhS4
Xv2hIEiF4Hxu9KhDt0tNmcZVdbxdKKO88NpbnRbWEpx9AV7kz5O4uZKU0M7PqdE8
xMVAwjZczD9iVy1/Ue0Zb72nwlFQhWlfYR5uKB4PD9fdvwMWQ/FLW1lg8vxsusF0
DI6la0KmASUjK5rOlDmW537SetHDPm/t4F+C3KjRtv3rzOXuRc8Bj3Mb1sOoGoW4
Ppwld7o9lHTM0xwLSkhXvZKyj9K2xC6qtW2r9xw+daDm6PFhLIgFBQUrZlYzJWiI
eU4HQWjz5xAASZhYLr/td5hpcmh2Rawm4e/RA/IfHylddQ6pCevVN+bqPdExjKuI
I5kN06lklJXP1iGqLbtnEXEbNExmYCNDXGu7AWbiypxAV/w4I/gDtz8PgjmhBZYa
6vSr4rKoPiU73R+5VMCoIXHLr/Csk0S0wZXZYQif79nMYrcj+NcHlBOBSTJTEMYn
Tfi/fR9Kc+yCdYdy1z8xdglxfRxKMeAhh+sBMKO2CBP49dp4zrSSowfU3p78GsIY
joiv6C+IHxl4/xSNDGuwag8tyTI4NHdIZELn/CUy4I3rnmD8Rz/NOc2QAoLYnow0
unIKJKrckZe3T+wtlMYb
=fMqZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ