Update to xml-security 1.4.3 to fix CVE-2009-0217

Bug #416802 reported by Thierry Carrez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libxml-security-java (Ubuntu)
Fix Released
High
Thierry Carrez

Bug Description

Binary package hint: libxml-security-java

Apache XML Security (Java) is affected by the vulnerability published in
US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more
information. This bug can allow an attacker to bypass authentication by
inserting/modifying a small HMAC truncation length parameter in the XML
Signature HMAC based SignatureMethod algorithms.

Upgrading to 1.4.3 will fix this.

CVE References

Thierry Carrez (ttx)
Changed in libxml-security-java (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
importance: Undecided → High
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml-security-java - 1.4.3-0ubuntu1

---------------
libxml-security-java (1.4.3-0ubuntu1) karmic; urgency=low

  * New upstream release, fixes CVE-2009-0217 (LP: #416802)
  * debian/build.xml: target 1.4 code to be java2-compatible

 -- Thierry Carrez <email address hidden> Fri, 21 Aug 2009 10:34:59 +0200

Changed in libxml-security-java (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.