Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Sep 2012 02:06:32 -0400 (EDT)
From: David Jorm <djorm@...hat.com>
To: "oss-security " <oss-security@...ts.openwall.com>
Subject: CVE Request: Apache Axis2 XML Signature Wrapping Attack

Juraj Somorovsky and colleagues have described an XML Signature Wrapping (XSW) attack against a variety of platforms in a paper delivered at USENIX [0]. Various platforms are covered, including OpenSAML and Apache Axis2. OpenSAML is covered by CVE-2011-1411 [1], but I can't find a CVE ID for Axis2. Could one please be assigned? The OpenSAML CVE ID is 2011 because some vendors were given pre-notification of the issue in 2011. Since all the details were made public in 2012, I suggest assigning a 2012 CVE ID for Axis2.

Thanks
-- 
David Jorm / Red Hat Security Response Team

[0] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.