You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2009/07/14 20:59:37 UTC

DO NOT REPLY [Bug 47527] New: XML signature HMAC truncation authentication bypass

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527

           Summary: XML signature HMAC truncation authentication bypass
           Product: Security
           Version: C++ 1.5.0
          Platform: All
               URL: http://www.kb.cert.org/vuls/id/466161
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P1
         Component: C++ Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: cantor.2@osu.edu


Apache XML Security (C++) is affected by the vulnerability published in US-Cert
VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information.
This bug can allow an attacker to bypass authentication by inserting/modifying
a small HMAC truncation length parameter in the XML Signature HMAC based
SignatureMethod algorithms.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 47527] XML signature HMAC truncation authentication bypass

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527


Scott Cantor <ca...@osu.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #1 from Scott Cantor <ca...@osu.edu>  2009-07-14 12:04:35 PST ---
Fix in svn, will be released in 1.5.1.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 47527] XML signature HMAC truncation authentication bypass

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527


Scott Cantor <ca...@osu.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.