CVE 2009-0217
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Related bugs and status
CVE-2009-0217 (Candidate) is related to these bugs:
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
85969 | Java Docs Package Won't Install | sun-java6 (Ubuntu) | Medium | Fix Released | ||
85969 | Java Docs Package Won't Install | sun-java5 (Ubuntu) | Medium | Invalid | ||
85969 | Java Docs Package Won't Install | j2se1.4-i586 (Ubuntu) | Wishlist | Invalid |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | libaxiom-java (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | dnsjava (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | netty (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | jug (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | mvel (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | libslf4j-java (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | libxml-security-java (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | wss4j (Ubuntu) | Undecided | Fix Released | ||
406346 | Main Inclusion Report (Eucalyptus dependencies set 2) | javassist (Ubuntu) | Undecided | Fix Released |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
409559 | version 1.6.0_15 is available | sun-java6 (Ubuntu) | Undecided | Fix Released | ||
409559 | version 1.6.0_15 is available | The Dell Mini Project | Undecided | Invalid | ||
409559 | version 1.6.0_15 is available | Jaunty Jackalope Backports | Undecided | Invalid | ||
409559 | version 1.6.0_15 is available | Intrepid Ibex Backports | Undecided | Invalid | ||
409559 | version 1.6.0_15 is available | Hardy Backports | Undecided | Invalid | ||
409559 | version 1.6.0_15 is available | sun-java6 (Ubuntu Hardy) | Undecided | Fix Released | ||
409559 | version 1.6.0_15 is available | sun-java6 (Ubuntu Karmic) | Undecided | Fix Released | ||
409559 | version 1.6.0_15 is available | sun-java6 (Ubuntu Intrepid) | Undecided | Invalid | ||
409559 | version 1.6.0_15 is available | sun-java6 (Ubuntu Jaunty) | Undecided | Fix Released |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
409920 | Sync mono 2.4.2.3+dfsg-1 (main) from Debian unstable (main). | mono (Ubuntu) | Wishlist | Fix Released |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
413583 | Sync xml-security-c 1.4.0-4 (universe) from Debian testing (main). | xml-security-c (Ubuntu) | Wishlist | Fix Released |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
416802 | Update to xml-security 1.4.3 to fix CVE-2009-0217 | libxml-security-java (Ubuntu) | High | Fix Released |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
420426 | sun-java6 6b16 update for karmic, hardy and jaunty | sun-java6 (Ubuntu) | Undecided | Fix Released | ||
420426 | sun-java6 6b16 update for karmic, hardy and jaunty | sun-java6 (Ubuntu Hardy) | Undecided | Fix Released | ||
420426 | sun-java6 6b16 update for karmic, hardy and jaunty | sun-java6 (Ubuntu Jaunty) | Undecided | Fix Released | ||
420426 | sun-java6 6b16 update for karmic, hardy and jaunty | sun-java6 (Ubuntu Karmic) | Undecided | Fix Released |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
597240 | Sync xmlsec1 1.2.14-1 (universe) from Debian unstable (main) | xmlsec1 (Ubuntu) | Wishlist | Fix Released |
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
882588 | LibreOffice/Mozilla integration broken | libreoffice (Ubuntu) | Undecided | Fix Released | ||
882588 | LibreOffice/Mozilla integration broken | firefox (Ubuntu) | Undecided | Invalid |