You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by bu...@apache.org on 2013/06/18 01:23:32 UTC
svn commit: r865992 - in /websites/production/santuario/content: ./ cache/
secadv.data/
Author: buildbot
Date: Mon Jun 17 23:23:32 2013
New Revision: 865992
Log:
Production update by buildbot for santuario
Added:
websites/production/santuario/content/secadv.data/CVE-2013-2153.txt
websites/production/santuario/content/secadv.data/CVE-2013-2154.txt
websites/production/santuario/content/secadv.data/CVE-2013-2155.txt
websites/production/santuario/content/secadv.data/CVE-2013-2156.txt
Modified:
websites/production/santuario/content/cache/main.pageCache
websites/production/santuario/content/cindex.html
websites/production/santuario/content/download.html
websites/production/santuario/content/index.html
websites/production/santuario/content/oldnews.html
websites/production/santuario/content/secadv.html
Modified: websites/production/santuario/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/santuario/content/cindex.html
==============================================================================
--- websites/production/santuario/content/cindex.html (original)
+++ websites/production/santuario/content/cindex.html Mon Jun 17 23:23:32 2013
@@ -128,7 +128,7 @@ Apache Santuario -- c_index
<h3><a shape="rect" name="c_index-News"></a>News</h3>
-<p>The Apache Santuario team are pleased to announce the release of version 1.7.0 of the Apache XML Security for C++ library. This release provides a few bug fixes and a partial implementation of XML Encryption 1.1 features, including AES-GCM encryption and some support for newer RSA-OAEP variants.</p>
+<p>Version 1.7.1 of the Apache XML Security for C++ library has been released. This release addresses a number of <a shape="rect" href="secadv.html" title="secadv">security vulnerabilities</a> reported to the project. All library users should upgrade to this release as soon as practical.</p>
<h3><a shape="rect" name="c_index-OldNews"></a>Old News</h3>
Modified: websites/production/santuario/content/download.html
==============================================================================
--- websites/production/santuario/content/download.html (original)
+++ websites/production/santuario/content/download.html Mon Jun 17 23:23:32 2013
@@ -131,7 +131,7 @@ Apache Santuario -- download
<ul><li>The current Java release is Apache XML Security for Java 1.5.4: <a shape="rect" class="external-link" href="http://www.apache.org/dyn/closer.cgi?path=/santuario/java-library/1_5_4/xml-security-bin-1_5_4.zip">xml-security-bin-1_5_4.zip</a> (<a shape="rect" class="external-link" href="http://www.apache.org/dist/santuario/java-library/1_5_4/xml-security-bin-1_5_4.zip.asc">PGP</a>) (<a shape="rect" class="external-link" href="http://www.apache.org/dist/santuario/java-library/1_5_4/xml-security-bin-1_5_4.zip.md5">MD5</a>)</li></ul>
-<ul><li>The current C++ release is Apache XML Security for C++ 1.7.0: <a shape="rect" class="external-link" href="http://www.apache.org/dyn/closer.cgi?path=/santuario/c-library/xml-security-c-1.7.0.tar.gz">xml-security-c-1.7.0.tar.gz</a> (<a shape="rect" class="external-link" href="http://www.apache.org/dist/santuario/c-library/xml-security-c-1.7.0.tar.gz.asc">PGP</a>) (<a shape="rect" class="external-link" href="http://www.apache.org/dist/santuario/c-library/xml-security-c-1.7.0.tar.gz.md5">MD5</a>)</li></ul>
+<ul><li>The current C++ release is Apache XML Security for C++ 1.7.1: <a shape="rect" class="external-link" href="http://www.apache.org/dyn/closer.cgi?path=/santuario/c-library/xml-security-c-1.7.1.tar.gz">xml-security-c-1.7.1.tar.gz</a> (<a shape="rect" class="external-link" href="http://www.apache.org/dist/santuario/c-library/xml-security-c-1.7.1.tar.gz.asc">PGP</a>) (<a shape="rect" class="external-link" href="http://www.apache.org/dist/santuario/c-library/xml-security-c-1.7.1.tar.gz.md5">MD5</a>)</li></ul>
<h3><a shape="rect" name="download-Archiveofoldreleases"></a>Archive of old releases</h3>
Modified: websites/production/santuario/content/index.html
==============================================================================
--- websites/production/santuario/content/index.html (original)
+++ websites/production/santuario/content/index.html Mon Jun 17 23:23:32 2013
@@ -133,6 +133,12 @@ Apache Santuario -- Index
<h3><a shape="rect" name="Index-News"></a>News</h3>
+<h5><a shape="rect" name="Index-June2013"></a>June 2013</h5>
+
+<p>Security advisories <a shape="rect" href="secadv.html" title="secadv">CVE-2013-2153</a>, <a shape="rect" href="secadv.html" title="secadv">CVE-2013-2154</a>, <a shape="rect" href="secadv.html" title="secadv">CVE-2013-2155</a>, and <a shape="rect" href="secadv.html" title="secadv">CVE-2013-2156</a>, affecting Apache XML-Security for C++ versions prior to 1.7.1, have been issued.</p>
+
+<p>Version 1.7.1 of the Apache XML Security for C++ library has been released, addressing these issues.</p>
+
<h5><a shape="rect" name="Index-March2013"></a>March 2013</h5>
<p>Version 1.5.4 of the Apache XML Security for Java library has been released. </p>
Modified: websites/production/santuario/content/oldnews.html
==============================================================================
--- websites/production/santuario/content/oldnews.html (original)
+++ websites/production/santuario/content/oldnews.html Mon Jun 17 23:23:32 2013
@@ -116,6 +116,10 @@ Apache Santuario -- old_news
<div class="wiki-content">
<div class="wiki-content maincontent"><h1><a shape="rect" name="old_news-OldNews"></a>Old News</h1>
+<h3><a shape="rect" name="old_news-ApacheXMLSecurityforC1.7.0"></a>Apache XML Security for C++ 1.7.0</h3>
+
+<p>The Apache Santuario team are pleased to announce the release of version 1.7.0 of the Apache XML Security for C++ library. This release provides a few bug fixes and a partial implementation of XML Encryption 1.1 features, including AES-GCM encryption and some support for newer RSA-OAEP variants.</p>
+
<h3><a shape="rect" name="old_news-ApacheXMLSecurityforJava1.5.3"></a>Apache XML Security for Java 1.5.3</h3>
<p>Version 1.5.3 of the Apache XML Security for Java library has been released. This release features support for new XML Signature 1.1 KeyInfo extensions. It also fixes a number of bugs including a problem when message sizes are greater than 512 MB.</p>
Added: websites/production/santuario/content/secadv.data/CVE-2013-2153.txt
==============================================================================
--- websites/production/santuario/content/secadv.data/CVE-2013-2153.txt (added)
+++ websites/production/santuario/content/secadv.data/CVE-2013-2153.txt Mon Jun 17 23:23:32 2013
@@ -0,0 +1,57 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2013-2153: Apache Santuario XML Security for C++ contains an
+XML Signature Bypass issue
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Santuario XML Security for C++ library versions
+prior to V1.7.1
+
+Description: The implementation of XML digital signatures in the
+Santuario-C++ library is vulnerable to a spoofing issue allowing an
+attacker to reuse existing signatures with arbitrary content.
+
+The vulnerability affects only applications that do not perform
+proper checking/analysis of the content of the Reference elements
+in the Signature, but the bug exacerbates this problem by opening
+such applications to attacks using arbitrary content, instead of
+just attacks involving malicious, but signed, content.
+
+
+Mitigation: Applications using library versions older than V1.7.1 should
+upgrade as soon as possible. Distributors of older versions should apply the
+patches from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=r1493959
+
+Applications that appropriately examine the content of the signatures
+they accept are immune to this issue. The only API provided for
+this purpose in the library is to examine the individual Reference
+elements to enforce limitations over their content, and doing so will
+prevent this vulnerability. Developers with questions about this should
+inquire on the Santuario project's mailing list.
+
+Credit: This issue was reported by James Forshaw, Context Information Security
+
+References: http://santuario.apache.org/
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (Darwin)
+
+iQIcBAEBCgAGBQJRv5QmAAoJEDeLhFQCJ3liuhgP/3Pt/aaMwnHrxs8cniqmaJW3
+dmWh4oB7f4I19uq2gibQ/TbPwW563HWiAZCpEgDP4nATNZTLWmrkwk64BoOCN6Og
++b1R0mWBA/xN4YMx56DTICuRhI1DwjaHCNQ7ZGkh+ucKwRANbJuiH7TsQQwDBoiJ
+quj7s1bBwTpnXQbD+iUyuX/ctZyJSZfVuFNxxuQTia4HDpa8O7Hf/8yh1WqzuH2V
+GD7KjjY5w69cgTJXDh6LWZkApFvUMOqdRP5lbu2dPIJi3zwliEdvmFXi+v+MfiQ4
+GrLB+mqcZ7DH3P/BtBsmktY8iuaXxdgvm89klE9+JNzJV+Me6TMk6NZ5BEbXeiSE
+0njH3s++/Pwl6iLoyNiHDL+GTvvcC5Imte9qJr0RCEkZy0STlMovsYNuyynv1XXX
+hek2ocd3946kNY3XZ+FxX7/5F0bEg0yLJk039fobB2/XIjnBNbguPtq7LX2C88Ub
+LmHUGmh5H34hi9er1xszOFVJMewBdYvlac6Db6xUMoSwad0h/SM3N1C6uGdGjG1b
+9fh1Gmm3jFQbR/AwPVSYvZvQs1f/v5k0qBD60yTC+MgXAtAYACSr+H+DoyDa7a3z
+oYxoMdMauW4j8YpziCnmDOxlMR4FrVjy4f//qr96AoWIxx+wWrg8Dxpqfh4GoAXx
+drtHl/drh3L0ncGu3qCi
+=XPT3
+-----END PGP SIGNATURE-----
Added: websites/production/santuario/content/secadv.data/CVE-2013-2154.txt
==============================================================================
--- websites/production/santuario/content/secadv.data/CVE-2013-2154.txt (added)
+++ websites/production/santuario/content/secadv.data/CVE-2013-2154.txt Mon Jun 17 23:23:32 2013
@@ -0,0 +1,52 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2013-2154: Apache Santuario XML Security for C++ contains a stack
+overflow during XPointer evaluation
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Santuario XML Security for C++ library versions
+prior to V1.7.1
+
+Description: A stack overflow, possibly leading to arbitrary code
+execution, exists in the processing of malformed XPointer expressions
+in the XML Signature Reference processing code.
+
+An attacker could use this to exploit an application performing
+signature verification if the application does not block the
+evaluation of such references prior to performing the verification
+step. The exploit would occur prior to the actual verification of
+the signature, so does not require authenticated content.
+
+Mitigation: Applications that do not otherwise prevent the evaluation of
+XPointer expressions during signature verification and are using library
+versions older than V1.7.1 should upgrade as soon as possible. Distributors
+of older versions should apply the patches from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=r1493959
+
+The first chunk of the patch to DSIGReference.cpp is the relevant portion.
+
+Credit: This issue was reported by James Forshaw, Context Information Security
+
+References: http://santuario.apache.org/
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (Darwin)
+
+iQIcBAEBCgAGBQJRv5Q+AAoJEDeLhFQCJ3lieigQAKTjOwGXo06BbXYN9rdULjf7
++1xJmbrXWSEfZKgbj/mD5q0ra5NEYdxsCA/sb1QO/bTwZ6JG9IufYwYiHnFECUYE
+hmMw9iMolEcB2tjpnkwDJoS+kyDhipNsKepGikKI/EcEUIQxMOW8mj7Px8lpM0e4
+8McQrtbY4UsJ37SFsNR3sgj8x5Kuw91qn3zZlBxojdge5UNvL3Myj45iSKeVdy5F
+lOzGgMnIdo7OlXSNN1LDUldUVoprXK2pq9kEkPHAaa7ZTpsEncKUYAHhKVahOvgl
+IIRoM+yndA2ZlSireCPeCSLiMhPkHdQLWvJgZkFnn4pOBvWLjgyyGipNVOQ5gnoa
+qDGtukVfhpT0o4RKBD8L9K485aKn6fnlbapF6b/JPmi4TEQK9gno02R/2w3/SU+S
++9RaWtyv4GQUo7rSfoMLlttbDnxzApx3t92E6QTGa7HCtfs2HdsLDRp4LVKh0WHX
+udMBazIzZZ0g/OZidsd9qT8KO117gC9135nlk8RIYuO4FQvjiog3zOr9pZnQ13cG
+Mwt56H0d/ub003vJcxL0RYve45KSYPYsXbsaTEWwYKNUFEGAkmGljcCU6K+ZWIBi
+f7ImnjZkv3302ZPIrDeFgpiMPVZFj51+9Il1u3zg8yEX+TAiaOQ4XQsLTYKQHhk7
+cNsKH8U1DX3tDw9YqcRN
+=jWQ0
+-----END PGP SIGNATURE-----
Added: websites/production/santuario/content/secadv.data/CVE-2013-2155.txt
==============================================================================
--- websites/production/santuario/content/secadv.data/CVE-2013-2155.txt (added)
+++ websites/production/santuario/content/secadv.data/CVE-2013-2155.txt Mon Jun 17 23:23:32 2013
@@ -0,0 +1,48 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2013-2154: Apache Santuario XML Security for C++ contains denial
+of service and hash length bypass issues while processing HMAC signatures
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Santuario XML Security for C++ library versions
+prior to V1.7.1
+
+Description: A bug exists in the processing of the output length of an
+HMAC-based XML Signature that would cause a denial of service when
+processing specially chosen input. Exploitation of this issue does
+not require authenticated content.
+
+In very unusual cases, inputs could be chosen in such a way that
+the fix for the issue in CVE-2009-0217 could be bypassed, enabling
+improper verification of a signature.
+
+Mitigation: Applications that support HMAC signatures and are using library
+versions older than V1.7.1 should upgrade as soon as possible. Distributors
+of older versions should apply the patches from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1493960
+
+Credit: This issue was reported by James Forshaw, Context Information Security
+
+References: http://santuario.apache.org/
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (Darwin)
+
+iQIcBAEBCgAGBQJRv5RKAAoJEDeLhFQCJ3lixeEQALUuT+1vjZDpQ3mOUEk0TKFT
+NnZEkjFE7j+XR71YTo4GYYer+zQj1La7daTcC4/3Tfcm4Ph1SZUQj2zEd6C1K78K
+9TC64ekPLVZAZRg5tDknESnlARtWfICphv8Nu0nPBGyIW8/WAx89ayupuzWp2P2C
+muixBZdn6gb/e77E5RKZi/nPZ8FLPK07HGjGRfj2DS6i+006NLlLTUVgEeSFiWwZ
+ykmodujzev5CSrLzdJ297iZyePtDgaK4DXX6nOa8hEDXe+0oOfp9zo4etfzp/K/C
+dqisRpGsoBz4D7sI6HvIfHpwH4zYXjxi0CEHHfrgWft9p2f2VVIyylaZSn6v0Tre
+jyizshls690cwYyMgIs4qGMwFLHL0jpSIUkKh5OyfsQ5dxA6nnrxmS/OaHATwoMw
+QkP2mtKWOOmuenxss5e818cdJgy6BCoB0rJAAw49bldm7OSiMf+v2wbrMypw0Qp3
+q95OWRht6Icxl6m2LCRZvzAIaJR4ggTrcKSO+/bDsZROqeNCXXMwuh+FOTolL55h
+vUOKuT0PZU003guazgQh0rovONhMWZz3cpyliXo3D6WVN4TBYpd9P4k3H5tU9s5u
+5J6Nkfz316sTLasr06aizgi7hWY5SHGkC76l0fyjTwVI6VL2Am/hhRy0HsbEr/L/
+MOcGwLXK1AelnBa2oDLO
+=1r37
+-----END PGP SIGNATURE-----
Added: websites/production/santuario/content/secadv.data/CVE-2013-2156.txt
==============================================================================
--- websites/production/santuario/content/secadv.data/CVE-2013-2156.txt (added)
+++ websites/production/santuario/content/secadv.data/CVE-2013-2156.txt Mon Jun 17 23:23:32 2013
@@ -0,0 +1,50 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2013-2156: Apache Santuario XML Security for C++ contains heap
+overflow while processing InclusiveNamespace PrefixList
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Apache Santuario XML Security for C++ library versions
+prior to V1.7.1
+
+Description: A heap overflow exists in the processing of the PrefixList
+attribute optionally used in conjunction with Exclusive Canonicalization,
+potentially allowing arbitary code execution. If verification of
+the signature occurs prior to actual evaluation of a signing key,
+this could be exploited by an unauthenticated attacker.
+
+
+Mitigation: Applications using library versions older than V1.7.1 should
+upgrade as soon as possible. Distributors of older versions should apply the
+patches from this subversion revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1493961
+
+Applications that prevent the use of Exclusive Canonicalization through
+the examination of signature content prior to verification are immune
+to this issue.
+
+Credit: This issue was reported by James Forshaw, Context Information Security
+
+References: http://santuario.apache.org/
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (Darwin)
+
+iQIcBAEBCgAGBQJRv5RVAAoJEDeLhFQCJ3lik6UP/jBeDwbmEIiTCZ0VrZll0IvF
+w8AnEw+5e3pdVVi7F+dS6FkbgL3dnklkWzIk5KT2slhuJ9Is+LHXCShdlBLOC1v5
+Vv3in185YO+VH4dTb5y4hVyeZ1I+eQQA6yCvuSfUSRja7LKjDIK1KIcF9DbH+p+u
+YoRlKUaqKlTBAJGekZwLCgPS7r7z/TBYNRhn5LEg4MKrLhopUjiXZT838h+LRko7
+PgoYaq9z5KHJjhTP0OdBR8CiIPECf5Ewsjy2PORGeQ67IvtcLm4nWEa+XwUiH5Iv
+sfQowtYtkkn1Utpfj+jiyknMlQKtVMmgEWk1a/DtzKBQYZ9SegIDNH6JFJTE+cYt
+PQuOv7P3w73gotCsuK7pnCWCwK4iIBdp6tvculdXbrWl5RpR/xBOiNnkIKvu3gR3
+pfQVl71+APswrSsCnrFNt4sWpYVhBwZtCMAI8LfJVswO0vy87S2H2tguLXXHz03s
+eJ5c/UjNGP2JlXigsWYi3jmqQtotiQCpVy+WQF3WI+0t4N4IfYaUGv/2z+mQXY8q
+DVtINxoUqjWACc1Vp+G+ISFaunOH/Q9S0ejb2kHeE+BLtbIlVvQRdhJtXuBuOVt8
+q/gSUV+Iiu4o5Sg8DAjmRpDeTJ8wXfSuQwtcYhIZ+kbie6MiJjWOOV2gVbrZL16m
+077pIfbZ/6I12+KyYsK8
+=I064
+-----END PGP SIGNATURE-----
Modified: websites/production/santuario/content/secadv.html
==============================================================================
--- websites/production/santuario/content/secadv.html (original)
+++ websites/production/santuario/content/secadv.html Mon Jun 17 23:23:32 2013
@@ -116,7 +116,23 @@ Apache Santuario -- secadv
<div class="wiki-content">
<div class="wiki-content maincontent"><p>The following security advisories have been issued in connection with the Santuario Project.</p>
-<ul><li><a shape="rect" href="secadv.data/CVE-2011-2516.txt?version=1&modificationDate=1370360230363">CVE-2011-2516</a>: Apache Santuario XML Security for C++ contains buffer overflows signing or verifying with large keys.</li></ul>
+<h3><a shape="rect" name="secadv-2013"></a>2013</h3>
+
+<ul><li><a shape="rect" href="secadv.data/CVE-2013-2153.txt?version=1&modificationDate=1371509998000">CVE-2013-2153</a>: Apache Santuario XML Security for C++ contains an XML Signature Bypass issue</li></ul>
+
+
+<ul><li><a shape="rect" href="secadv.data/CVE-2013-2154.txt?version=1&modificationDate=1371509987000">CVE-2013-2154</a>: Apache Santuario XML Security for C++ contains a stack overflow during XPointer evaluation</li></ul>
+
+
+<ul><li><a shape="rect" href="secadv.data/CVE-2013-2155.txt?version=1&modificationDate=1371509977000">CVE-2013-2155</a>: Apache Santuario XML Security for C++ contains denial of service and hash length bypass issues while processing HMAC signatures</li></ul>
+
+
+<ul><li><a shape="rect" href="secadv.data/CVE-2013-2156.txt?version=1&modificationDate=1371510008000">CVE-2013-2156</a>: Apache Santuario XML Security for C++ contains heap overflow while processing InclusiveNamespace PrefixList</li></ul>
+
+
+<h3><a shape="rect" name="secadv-2011"></a>2011</h3>
+
+<ul><li><a shape="rect" href="secadv.data/CVE-2011-2516.txt?version=1&modificationDate=1370360230000">CVE-2011-2516</a>: Apache Santuario XML Security for C++ contains buffer overflows signing or verifying with large keys.</li></ul>
</div>
</div>
<!-- Content -->