You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2009/07/14 20:59:37 UTC
DO NOT REPLY [Bug 47527] New: XML signature HMAC truncation
authentication bypass
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
Summary: XML signature HMAC truncation authentication bypass
Product: Security
Version: C++ 1.5.0
Platform: All
URL: http://www.kb.cert.org/vuls/id/466161
OS/Version: All
Status: NEW
Severity: blocker
Priority: P1
Component: C++ Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: cantor.2@osu.edu
Apache XML Security (C++) is affected by the vulnerability published in US-Cert
VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information.
This bug can allow an attacker to bypass authentication by inserting/modifying
a small HMAC truncation length parameter in the XML Signature HMAC based
SignatureMethod algorithms.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47527] XML signature HMAC truncation
authentication bypass
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
Scott Cantor <ca...@osu.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Scott Cantor <ca...@osu.edu> 2009-07-14 12:04:35 PST ---
Fix in svn, will be released in 1.5.1.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 47527] XML signature HMAC truncation
authentication bypass
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
Scott Cantor <ca...@osu.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.