Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Jan 2015 15:50:44 +0000
From: Colm O hEigeartaigh <coheigea@...che.org>
To: users@...tuario.apache.org, 
	"dev@...tuario.apache.org" <dev@...tuario.apache.org>
Cc: Jaime pallares <jprel@...mail.com>, Apache Security Response Team <security@...che.org>, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: New Apache Santuario security advisory CVE-2014-8152

A new security advisory for Apache Santuario has been issued -
CVE-2014-8152 - "Streaming XML Signature verification failure". It is a
critical advisory for anyone using the streaming XML Signature support
introduced in the 2.0.0 release. The DOM implementation is not affected.

This issue is fixed in the recently released version 2.0.3.

The security advisory is linked on the security advisories page of Apache
Santuario and also attached to this mail:
http://santuario.apache.org/secadv.html

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

[ CONTENT OF TYPE text/html SKIPPED ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-8152: Streaming XML Signature verification failure

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all 2.0.x versions of Apache Santuario XML Security
for Java until 2.0.3. It does not affect 1.4.x or 1.5.x.

Description:

The 2.0.x series of releases of the Apache Santuario XML Security for Java
library introduced support for streaming (StAX-based) XML Signature and 
Encryption. 

For certain XML documents, it is possible to modify the document and the
streaming XML Signature verification code will not report an error when trying
to validate the signature.

Please note that the "in-memory" (DOM) API for XML Signature is not affected
by this issue, nor is the JSR-105 API. Also, web service stacks that use the
streaming functionality of Apache Santuario (such as Apache CXF/WSS4J) are also
not affected by this vulnerability.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1634334

Migration:

This issue does not affect 1.5.x users.
2.0.x users should upgrade to 2.0.3 as soon as possible.

Credit: This issue was reported by Jaime Pallarés Rel, Software Development
Director at Logalty

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUrrwJAAoJEGe/gLEK1TmDSg4H/Rcb0ZYuFdfzAFdPJ3ro3T0B
AljyrquaqvzPh55KVXzl7KWtzalYGC0+ME6iuVWhD1E/Ah9U7Oa8AMy9F+cxg/5M
iWaHpxwH9ir09quuxQkd1Ng6FI+chjilYmqs0RpMTs+YIKLaul31BqbawYvkw6P4
7v5mh5FiY0I2ghqqci2OuQyBauXYj9cTYURZWCxmWLAd2cCOYojXQUte2neLHYDi
/m6YIfE1Nyxpyb6/mNM0SD2PO238N2ekDlCgM9kwVqnIGGclUacbFuCg+JC1++pH
/VrFKYqjZcgcnAYOLIuSdYXSp9n859+0FEg7vI/6UkfMMjnpfE4qpNd8J7dOIhI=
=DvCI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ