santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <Sean.Mul...@Sun.COM>
Subject Re: DO NOT REPLY [Bug 47526] New: XML signature HMAC truncation authentication bypass
Date Wed, 15 Jul 2009 19:14:23 GMT
1.4.3beta1 binary and source distributions (and ASCII-encoded PGP signatures) 
are now available at:

Signatures can be verified using the Keys in

Please let us know ASAP if you find any problems and thanks in advance for 
testing! If no issues are found by Friday, this will become the release 
candidate for 1.4.3.


Sean Mullan wrote:
> Hi all,
> I have just putback a fix for this vulnerability to the source code 
> repository. This patch will be included in the (Java) version 1.4.3 
> release. Because of the potential severity of this issue, we are 
> planning an expedited release process for 1.4.3. I plan to make 
> available a jar for testing later today and a more complete release 
> candidate binary tomorrow. If no issues are found then we will call for 
> a vote later this week and work towards making a final version available 
> early next week.
> Thanks,
> Sean
> wrote:
>>            Summary: XML signature HMAC truncation authentication bypass
>>            Product: Security
>>            Version: Java 1.4.2
>>           Platform: All
>>         OS/Version: All
>>             Status: NEW
>>           Severity: critical
>>           Priority: P1
>>          Component: Signature
>>         AssignedTo:
>>         ReportedBy:
>> Apache XML Security (Java) is affected by the vulnerability published in
>> US-Cert VU #466161. See: for more
>> information. This bug can allow an attacker to bypass authentication by
>> inserting/modifying a small HMAC truncation length parameter in the XML
>> Signature HMAC based SignatureMethod algorithms.

View raw message