Return-Path: 
 <dev-return-16096-apmail-ws-dev-archive=ws.apache.org@ws.apache.org>
X-Original-To: apmail-ws-dev-archive@www.apache.org
Delivered-To: apmail-ws-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A79D11071F
	for <apmail-ws-dev-archive@www.apache.org>;
 Tue, 10 Feb 2015 11:41:42 +0000 (UTC)
Received: (qmail 64355 invoked by uid 500); 10 Feb 2015 11:41:39 -0000
Delivered-To: apmail-ws-dev-archive@ws.apache.org
Received: (qmail 64151 invoked by uid 500); 10 Feb 2015 11:41:39 -0000
Mailing-List: contact dev-help@ws.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@ws.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@ws.apache.org>
List-Post: <mailto:dev@ws.apache.org>
List-Id: <dev.ws.apache.org>
Reply-To: dev@ws.apache.org
Delivered-To: mailing list dev@ws.apache.org
Received: (qmail 64122 invoked by uid 99); 10 Feb 2015 11:41:39 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org)
 (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Feb 2015 11:41:39 +0000
Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com
 [74.125.82.50])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with
 ESMTPSA id ADB6A1A0456;
	Tue, 10 Feb 2015 11:41:38 +0000 (UTC)
Received: by mail-wg0-f50.google.com with SMTP id l2so6712190wgh.9;
        Tue, 10 Feb 2015 03:41:37 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.180.198.101 with SMTP id jb5mr8271601wic.92.1423568497229;
 Tue, 10 Feb 2015 03:41:37 -0800 (PST)
Reply-To: coheigea@apache.org
Received: by 10.194.14.164 with HTTP; Tue, 10 Feb 2015 03:41:37 -0800 (PST)
Date: Tue, 10 Feb 2015 11:41:37 +0000
Message-ID: 
 <CAB8XdGBJuywczWKQz5otQH4kgu2kEGtOxgZNpA5-2hy4f0ySeA@mail.gmail.com>
Subject: Two new security advisories released for Apache WSS4J
From: Colm O hEigeartaigh <coheigea@apache.org>
To: users@ws.apache.org, "dev@ws.apache.org" <dev@ws.apache.org>,
	Apache Security Response Team <security@apache.org>,
 oss-security@lists.openwall.com,
	bugtraq@securityfocus.com
Cc: Juraj Somorovsky <juraj.somorovsky@rub.de>
Content-Type: multipart/alternative; boundary=047d7b624d149766c2050eba5e79

--047d7b624d149766c2050eba5e79
Content-Type: text/plain; charset=UTF-8

Two new security advisories have been released for Apache WSS4J:

1) CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's
attack

http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc

2) CVE-2015-0227: Apache WSS4J doesn't correctly enforce the
requireSignedEncryptedDataElements property

http://ws.apache.org/wss4j/advisories/CVE-2015-0227.txt.asc

Please note that both of these advisories were fixed in WSS4J 2.0.2 and
1.6.17, both of which were released last year.

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

--047d7b624d149766c2050eba5e79
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Two new security advisories have been released for Ap=
ache WSS4J:<br><br>1) CVE-2015-0226: Apache WSS4J is (still) vulnerable to =
Bleichenbacher&#39;s attack<br><br><a href=3D"http://ws.apache.org/wss4j/ad=
visories/CVE-2015-0226.txt.asc">http://ws.apache.org/wss4j/advisories/CVE-2=
015-0226.txt.asc</a><br><br>2) CVE-2015-0227: Apache WSS4J doesn&#39;t corr=
ectly enforce the requireSignedEncryptedDataElements property<br><br><a hre=
f=3D"http://ws.apache.org/wss4j/advisories/CVE-2015-0227.txt.asc">http://ws=
.apache.org/wss4j/advisories/CVE-2015-0227.txt.asc</a><br><br></div>Please =
note that both of these advisories were fixed in WSS4J 2.0.2 and 1.6.17, bo=
th of which were released last year. <br><br>Colm.<br><div><div><div><br cl=
ear=3D"all"><br>-- <br><div class=3D"gmail_signature">Colm O hEigeartaigh<b=
r><br>Talend Community Coder<br><a href=3D"http://coders.talend.com" target=
=3D"_blank">http://coders.talend.com</a><br></div></div></div></div></div>

--047d7b624d149766c2050eba5e79--