You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2021/09/17 08:50:41 UTC
svn commit: r1076843 - in /websites/production/santuario/content:
cache/main.pageCache index.html javaindex.html
secadv.data/CVE-2021-40690.txt.asc secadv.html
Author: coheigea
Date: Fri Sep 17 08:50:41 2021
New Revision: 1076843
Log:
Updating website with CVE info
Added:
websites/production/santuario/content/secadv.data/CVE-2021-40690.txt.asc
Modified:
websites/production/santuario/content/cache/main.pageCache
websites/production/santuario/content/index.html
websites/production/santuario/content/javaindex.html
websites/production/santuario/content/secadv.html
Modified: websites/production/santuario/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/santuario/content/index.html
==============================================================================
--- websites/production/santuario/content/index.html (original)
+++ websites/production/santuario/content/index.html Fri Sep 17 08:50:41 2021
@@ -94,7 +94,7 @@ Apache Santuario -- Index
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="Index-WelcometoApacheSantuario™">Welcome to Apache Santuario™</h1><h3 id="Index-TheProject">The Project</h3><p>The <strong>Apache Santuario™</strong> project is aimed at providing implementation of the primary security standards for XML:</p><ul><li>XML-Signature Syntax and Processing</li><li>XML Encryption Syntax and Processing.</li></ul><p>Two libraries are currently available.</p><ul><li>Apache XML Security for Java: This library includes the standard JSR-105 (Java XML Digital Signature) API,  a mature DOM-based implementation of both XML Signature and XML Encryption, as well as a more recent StAX-based (streaming) XML Signature and XML Encryption implementation.</li><li>Apache XML Security for C++: This library includes a mature Digital Signature and Encryption implementation using a proprietary C++ API on top of the Xerces-C XML Parser's DOM API. It includes a pluggable cryptographic layer, but support for alternatives t
o OpenSSL are less complete and less mature.</li></ul><h3 id="Index-News">News</h3><h5 id="Index-September2021">September 2021</h5><p>Version 2.2.3 and 2.1.7 of the Apache XML Security for Java library has been released.</p><p>Please see the <span class="confluence-link"><a shape="rect" href="javareleasenotes.html">release notes</a></span> for more information.</p><h5 id="Index-November2018">November 2018</h5><p>Version 2.0.2 of the Apache XML Security for C++ has been released.</p><p>This patch corrects a <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/SANTUARIO-496">bug</a> that can cause crashes in upstream applications. It is similar to, but not the same as, the one that was patched in V2.0.1, and resulted from further review of the code by the project that contributes all of the current manpower to the project. Appreciation is extended to the <a shape="rect" class="external-link" href="https://www.shibboleth.net/" rel="nofollow">Shibboleth</a>
Project team for this review.</p><p><br clear="none"></p><h3 id="Index-OlderNews">Older News</h3><p>See <a shape="rect" href="oldnews.html">here</a> for old news.</p><p><br clear="none"></p></div>
+<div id="ConfluenceContent"><h1 id="Index-WelcometoApacheSantuario™">Welcome to Apache Santuario™</h1><h3 id="Index-TheProject">The Project</h3><p>The <strong>Apache Santuario™</strong> project is aimed at providing implementation of the primary security standards for XML:</p><ul><li>XML-Signature Syntax and Processing</li><li>XML Encryption Syntax and Processing.</li></ul><p>Two libraries are currently available.</p><ul><li>Apache XML Security for Java: This library includes the standard JSR-105 (Java XML Digital Signature) API,  a mature DOM-based implementation of both XML Signature and XML Encryption, as well as a more recent StAX-based (streaming) XML Signature and XML Encryption implementation.</li><li>Apache XML Security for C++: This library includes a mature Digital Signature and Encryption implementation using a proprietary C++ API on top of the Xerces-C XML Parser's DOM API. It includes a pluggable cryptographic layer, but support for alternatives t
o OpenSSL are less complete and less mature.</li></ul><h3 id="Index-News">News</h3><h5 id="Index-September2021">September 2021</h5><p>Version 2.2.3 and 2.1.7 of the Apache XML Security for Java library has been released. Please see the <span class="confluence-link"><a shape="rect" href="javareleasenotes.html">release notes</a></span> for more information.</p><p>These releases contain a fix for a new CVE:</p><ul><li>CVE-2021-40690 - Bypass of the secureValidation property</li></ul><p>Please refer to the <a shape="rect" href="secadv.html">security advisories</a> page for further information.</p><h5 id="Index-November2018">November 2018</h5><p>Version 2.0.2 of the Apache XML Security for C++ has been released.</p><p>This patch corrects a <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/SANTUARIO-496">bug</a> that can cause crashes in upstream applications. It is similar to, but not the same as, the one that was patched in V2.0.1, and resulted from furth
er review of the code by the project that contributes all of the current manpower to the project. Appreciation is extended to the <a shape="rect" class="external-link" href="https://www.shibboleth.net/" rel="nofollow">Shibboleth</a> Project team for this review.</p><p><br clear="none"></p><h3 id="Index-OlderNews">Older News</h3><p>See <a shape="rect" href="oldnews.html">here</a> for old news.</p><p><br clear="none"></p></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/santuario/content/javaindex.html
==============================================================================
--- websites/production/santuario/content/javaindex.html (original)
+++ websites/production/santuario/content/javaindex.html Fri Sep 17 08:50:41 2021
@@ -94,7 +94,7 @@ Apache Santuario -- java_index
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="java_index-ApacheXMLSecurityforJava">Apache XML Security for Java</h1><h3 id="java_index-Overview">Overview</h3><p>The Apache XML Security for Java library supports <a shape="rect" class="external-link" href="http://www.w3c.org/TR/2002/REC-xmldsig-core-20020212/" rel="nofollow">XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002</a> and <a shape="rect" class="external-link" href="http://www.w3c.org/TR/2002/REC-xmlenc-core-20021210/" rel="nofollow">XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002</a>.</p><p>There are a number of different options open to the developer using the library. For XML Signature, three different approaches are available:</p><ul><li>The JSR-105 API: The standard Java XML Digital Signature API. This uses a DOM (in-memory) implementation under-the-hood.</li><li>The Apache Santuario Java DOM API: The older DOM API which pre-dates JSR-105.</li><li>The Apache Santuario Java StAX API:
The newer StAX-based (streaming) API which uses far less memory for large XML trees than the DOM approach.</li></ul><p>For XML Encryption, two different approaches are available:</p><ul><li>The Apache Santuario Java DOM API: A DOM API for XML Encryption.</li><li>The Apache Santuario Java StAX API: The newer StAX-based (streaming) API which uses far less memory for large XML trees than the DOM approach.</li></ul><p>The StAX-based (streaming) functionality is only available as of the 2.0.0 release. Please see the <a shape="rect" href="streaming-xml-security.html">Streaming XML Security</a> page for more information about how to use this approach.</p><h3 id="java_index-News">News</h3><h5 id="java_index-September2021">September 2021</h5><p>Version 2.2.3 and 2.1.7 of the Apache XML Security for Java library has been released.</p><p>Please see the <span class="confluence-link"><a shape="rect" href="javareleasenotes.html">release notes</a></span> for more information.</p><h3 id="java_inde
x-OldNews">Old News</h3><p>See <a shape="rect" href="oldnews.html">here</a> for older news.</p></div>
+<div id="ConfluenceContent"><h1 id="java_index-ApacheXMLSecurityforJava">Apache XML Security for Java</h1><h3 id="java_index-Overview">Overview</h3><p>The Apache XML Security for Java library supports <a shape="rect" class="external-link" href="http://www.w3c.org/TR/2002/REC-xmldsig-core-20020212/" rel="nofollow">XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002</a> and <a shape="rect" class="external-link" href="http://www.w3c.org/TR/2002/REC-xmlenc-core-20021210/" rel="nofollow">XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002</a>.</p><p>There are a number of different options open to the developer using the library. For XML Signature, three different approaches are available:</p><ul><li>The JSR-105 API: The standard Java XML Digital Signature API. This uses a DOM (in-memory) implementation under-the-hood.</li><li>The Apache Santuario Java DOM API: The older DOM API which pre-dates JSR-105.</li><li>The Apache Santuario Java StAX API:
The newer StAX-based (streaming) API which uses far less memory for large XML trees than the DOM approach.</li></ul><p>For XML Encryption, two different approaches are available:</p><ul><li>The Apache Santuario Java DOM API: A DOM API for XML Encryption.</li><li>The Apache Santuario Java StAX API: The newer StAX-based (streaming) API which uses far less memory for large XML trees than the DOM approach.</li></ul><p>The StAX-based (streaming) functionality is only available as of the 2.0.0 release. Please see the <a shape="rect" href="streaming-xml-security.html">Streaming XML Security</a> page for more information about how to use this approach.</p><h3 id="java_index-News">News</h3><h5 id="java_index-September2021">September 2021</h5><p>Version 2.2.3 and 2.1.7 of the Apache XML Security for Java library has been released. Please see the <span class="confluence-link"><a shape="rect" href="javareleasenotes.html">release notes</a></span> for more information.</p><p>These releases conta
in a fix for a new CVE:</p><ul><li>CVE-2021-40690 - Bypass of the secureValidation property</li></ul><p>Please refer to the <a shape="rect" href="secadv.html">security advisories</a> page for further information.</p><h3 id="java_index-OldNews">Old News</h3><p>See <a shape="rect" href="oldnews.html">here</a> for older news.</p></div>
</div>
<!-- Content -->
</td>
Added: websites/production/santuario/content/secadv.data/CVE-2021-40690.txt.asc
==============================================================================
--- websites/production/santuario/content/secadv.data/CVE-2021-40690.txt.asc (added)
+++ websites/production/santuario/content/secadv.data/CVE-2021-40690.txt.asc Fri Sep 17 08:50:41 2021
@@ -0,0 +1,29 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Bypass of the secureValidation property (CVE-2021-40690)
+
+PRODUCT AFFECTED:
+
+This issue affects Apache Santuario XML Security for Java.
+
+PROBLEM:
+
+All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
+
+This issue has been assigned CVE-2021-40690.
+
+ACKNOWLEDGEMENTS:
+
+An Trinh, Calif.
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAmFEU8wACgkQZ7+AsQrV
+OYMiXggAiYJpjx3GQSnhhvqJSOylTfOabZoLd7nVF/5Dmnm3QyOKf5Tcyk1fFHAW
+oJ6e+bgAC2RaosA6iwptlTAEsIuSpncsd/wMKUV+6FXwJmnDCGkuOjKY6xUPuKGH
+lqEoDTYQrPoPNK4e6wkWN1n2Lp1YIgj9SyxeMdOGG7QFR829rk9PpKWcyptg3f+3
+H29chTQNFtVDgTUlPJDk+9KbHLDshJXh+tbFy6Hg4qd6bcIeqaXy60Gyv6QnfMWU
+P0vrObCmkzUL+roqWAkaVRvJfwgqc8lL4inEBxNCQu8q0Rzy/Qq4V5yF+yRcFuej
+E5sMDCOerZnxohBeNhCgmlNGUryXtg==
+=IK9Y
+-----END PGP SIGNATURE-----
Modified: websites/production/santuario/content/secadv.html
==============================================================================
--- websites/production/santuario/content/secadv.html (original)
+++ websites/production/santuario/content/secadv.html Fri Sep 17 08:50:41 2021
@@ -94,7 +94,7 @@ Apache Santuario -- secadv
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p>The following security advisories have been issued in connection with the Santuario Project.</p><h3 id="secadv-2019">2019</h3><ul><li><a shape="rect" href="secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2" data-linked-resource-id="125310111" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2019-12400.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2019-12400</a>: Apache Santuario potentially loads XML parsing code from an untrusted source</li></ul><h3 id="secadv-2014">2014</h3><ul><li><a shape="rect" href="secadv.data/CVE-2014-8152.txt.asc?version=1&modificationDate=1421673805000&api=v2" data-linked-resource-id="51183994" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-ali
as="CVE-2014-8152.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2014-8152</a>: Streaming XML Signature verification failure</li></ul><h3 id="secadv-2013">2013</h3><ul><li><a shape="rect" href="secadv.data/cve-2013-4517.txt.asc?version=1&modificationDate=1387192225000&api=v2" data-linked-resource-id="39190529" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="cve-2013-4517.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2013-4517</a>: Java XML Signature DoS Attack</li><li><a shape="rect" href="secadv.data/CVE-2013-2210.txt?version=1&modificationDate=1372294549000&api=v2" data-linked-resource-id="33095706" data-linked-resource-version="1" data-linked-resource-t
ype="attachment" data-linked-resource-default-alias="CVE-2013-2210.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2013-2210</a>: Apache Santuario XML Security for C++ contains a heap overflow during XPointer evaluation</li><li><a shape="rect" href="secadv.data/CVE-2013-2172.txt.asc?version=1&modificationDate=1372152286000&api=v2" data-linked-resource-id="33095700" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2172.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2013-2172</a>: Java XML Signature spoofing attack</li><li><a shape="rect" href="secadv.data/CVE-2013-2153.txt?version=2&modificationDate=1371511768000&api=v2" data-linked-resource-id="31949323"
data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2153.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2013-2153</a>: Apache Santuario XML Security for C++ contains an XML Signature Bypass issue</li><li><a shape="rect" href="secadv.data/CVE-2013-2154.txt?version=2&modificationDate=1371511798000&api=v2" data-linked-resource-id="31949324" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2154.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2013-2154</a>: Apache Santuario XML Security for C++ contains a stack overflow during XPointer evaluation</li><li><a shape="rect" href="secadv.data/CVE-2013-2155.txt?
version=3&modificationDate=1372106605000&api=v2" data-linked-resource-id="31949325" data-linked-resource-version="3" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2155.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2013-2155</a>: Apache Santuario XML Security for C++ contains denial of service and hash length bypass issues while processing HMAC signatures</li><li><a shape="rect" href="secadv.data/CVE-2013-2156.txt?version=1&modificationDate=1371495608000&api=v2" data-linked-resource-id="31949322" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2156.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2013-2156</a>: Apache Sa
ntuario XML Security for C++ contains heap overflow while processing InclusiveNamespace PrefixList</li></ul><h3 id="secadv-2011">2011</h3><ul><li><a shape="rect" href="secadv.data/CVE-2011-2516.txt?version=1&modificationDate=1370345830000&api=v2" data-linked-resource-id="31949205" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2011-2516.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="9">CVE-2011-2516</a>: Apache Santuario XML Security for C++ contains buffer overflows signing or verifying with large keys.</li></ul></div>
+<div id="ConfluenceContent"><p>The following security advisories have been issued in connection with the Santuario Project.</p><h3 id="secadv-2021">2021</h3><ul><li><a shape="rect" href="secadv.data/CVE-2021-40690.txt.asc?version=1&modificationDate=1631867947126&api=v2" data-linked-resource-id="188746118" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2021-40690.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2021-40690</a>: Bypass of the secureValidation property</li></ul><h3 id="secadv-2019">2019</h3><ul><li><a shape="rect" href="secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2" data-linked-resource-id="125310111" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2019-12400.asc" data-n
ice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2019-12400</a>: Apache Santuario potentially loads XML parsing code from an untrusted source</li></ul><h3 id="secadv-2014">2014</h3><ul><li><a shape="rect" href="secadv.data/CVE-2014-8152.txt.asc?version=1&modificationDate=1421673805000&api=v2" data-linked-resource-id="51183994" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-8152.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2014-8152</a>: Streaming XML Signature verification failure</li></ul><h3 id="secadv-2013">2013</h3><ul><li><a shape="rect" href="secadv.data/cve-2013-4517.txt.asc?version=1&modificationDate=1387192225000&api=v2" data-linked-resource-id="39190
529" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="cve-2013-4517.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2013-4517</a>: Java XML Signature DoS Attack</li><li><a shape="rect" href="secadv.data/CVE-2013-2210.txt?version=1&modificationDate=1372294549000&api=v2" data-linked-resource-id="33095706" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2210.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2013-2210</a>: Apache Santuario XML Security for C++ contains a heap overflow during XPointer evaluation</li><li><a shape="rect" href="secadv.data/CVE-2013-2172.txt.asc?version=1&modificationDate=137
2152286000&api=v2" data-linked-resource-id="33095700" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2172.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2013-2172</a>: Java XML Signature spoofing attack</li><li><a shape="rect" href="secadv.data/CVE-2013-2153.txt?version=2&modificationDate=1371511768000&api=v2" data-linked-resource-id="31949323" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2153.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2013-2153</a>: Apache Santuario XML Security for C++ contains an XML Signature Bypass issue</li><li><a shape="rect" href="secadv.data/CVE-2013-21
54.txt?version=2&modificationDate=1371511798000&api=v2" data-linked-resource-id="31949324" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2154.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2013-2154</a>: Apache Santuario XML Security for C++ contains a stack overflow during XPointer evaluation</li><li><a shape="rect" href="secadv.data/CVE-2013-2155.txt?version=3&modificationDate=1372106605000&api=v2" data-linked-resource-id="31949325" data-linked-resource-version="3" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2155.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2013-2155</a>: Apache Santuario XML Security for C++
contains denial of service and hash length bypass issues while processing HMAC signatures</li><li><a shape="rect" href="secadv.data/CVE-2013-2156.txt?version=1&modificationDate=1371495608000&api=v2" data-linked-resource-id="31949322" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-2156.txt" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2013-2156</a>: Apache Santuario XML Security for C++ contains heap overflow while processing InclusiveNamespace PrefixList</li></ul><h3 id="secadv-2011">2011</h3><ul><li><a shape="rect" href="secadv.data/CVE-2011-2516.txt?version=1&modificationDate=1370345830000&api=v2" data-linked-resource-id="31949205" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2011-2516.txt" data-nice-type="Tex
t File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27821224" data-linked-resource-container-version="10">CVE-2011-2516</a>: Apache Santuario XML Security for C++ contains buffer overflows signing or verifying with large keys.</li></ul></div>
</div>
<!-- Content -->
</td>