A new security advisory for Apache Santuario has been issued - CVE-2014-8152 - "Streaming XML Signature verification failure". It is a critical advisory for anyone using the streaming XML Signature support introduced in the 2.0.0 release. The DOM implementation is not affected.
This issue is fixed in the recently released version 2.0.3. The security advisory is linked on the security advisories page of Apache Santuario and also attached to this mail: http://santuario.apache.org/secadv.html Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-8152: Streaming XML Signature verification failure Severity: Critical Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all 2.0.x versions of Apache Santuario XML Security for Java until 2.0.3. It does not affect 1.4.x or 1.5.x. Description: The 2.0.x series of releases of the Apache Santuario XML Security for Java library introduced support for streaming (StAX-based) XML Signature and Encryption. For certain XML documents, it is possible to modify the document and the streaming XML Signature verification code will not report an error when trying to validate the signature. Please note that the "in-memory" (DOM) API for XML Signature is not affected by this issue, nor is the JSR-105 API. Also, web service stacks that use the streaming functionality of Apache Santuario (such as Apache CXF/WSS4J) are also not affected by this vulnerability. This has been fixed in revision: http://svn.apache.org/viewvc?view=revision&revision=1634334 Migration: This issue does not affect 1.5.x users. 2.0.x users should upgrade to 2.0.3 as soon as possible. Credit: This issue was reported by Jaime Pallarés Rel, Software Development Director at Logalty -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUrrwJAAoJEGe/gLEK1TmDSg4H/Rcb0ZYuFdfzAFdPJ3ro3T0B AljyrquaqvzPh55KVXzl7KWtzalYGC0+ME6iuVWhD1E/Ah9U7Oa8AMy9F+cxg/5M iWaHpxwH9ir09quuxQkd1Ng6FI+chjilYmqs0RpMTs+YIKLaul31BqbawYvkw6P4 7v5mh5FiY0I2ghqqci2OuQyBauXYj9cTYURZWCxmWLAd2cCOYojXQUte2neLHYDi /m6YIfE1Nyxpyb6/mNM0SD2PO238N2ekDlCgM9kwVqnIGGclUacbFuCg+JC1++pH /VrFKYqjZcgcnAYOLIuSdYXSp9n859+0FEg7vI/6UkfMMjnpfE4qpNd8J7dOIhI= =DvCI -----END PGP SIGNATURE-----
