Source: python-signxml Version: 4.0.3+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for python-signxml. CVE-2025-48994[0]: | SignXML is an implementation of the W3C XML Signature standard in | Python. When verifying signatures with X509 certificate validation | turned off and HMAC shared secret set | (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), | versions of SignXML prior to 4.0.4 are vulnerable to a potential | algorithm confusion attack. Unless the user explicitly limits the | expected signature algorithms using the | `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker | may supply a signature unexpectedly signed with a key other than the | provided HMAC key, using a different (asymmetric key) signature | algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes | the set of accepted signature algorithms to be restricted to HMAC | only, if not already restricted by the user. CVE-2025-48995[1]: | SignXML is an implementation of the W3C XML Signature standard in | Python. When verifying signatures with X509 certificate validation | turned off and HMAC shared secret set | (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), | versions of SignXML prior to 4.0.4 are vulnerable to a potential | timing attack. The verifier may leak information about the correct | HMAC when comparing it with the user supplied hash, allowing users | to reconstruct the correct HMAC for any data. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-48994 https://www.cve.org/CVERecord?id=CVE-2025-48994 https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4 https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600 [1] https://security-tracker.debian.org/tracker/CVE-2025-48995 https://www.cve.org/CVERecord?id=CVE-2025-48995 https://github.com/XML-Security/signxml/security/advisories/GHSA-gmhf-gg8w-jw42 https://github.com/XML-Security/signxml/commit/1b501faaacf34cf978a52dbc6915ec11e27611cd Regards, Salvatore
