Update to xml-security 1.4.3 to fix CVE-2009-0217

Bug #416802 reported by Thierry Carrez on 2009-08-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libxml-security-java (Ubuntu)
Thierry Carrez

Bug Description

Binary package hint: libxml-security-java

Apache XML Security (Java) is affected by the vulnerability published in
US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more
information. This bug can allow an attacker to bypass authentication by
inserting/modifying a small HMAC truncation length parameter in the XML
Signature HMAC based SignatureMethod algorithms.

Upgrading to 1.4.3 will fix this.

CVE References

Thierry Carrez (ttx) on 2009-08-21
Changed in libxml-security-java (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
importance: Undecided → High
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml-security-java - 1.4.3-0ubuntu1

libxml-security-java (1.4.3-0ubuntu1) karmic; urgency=low

  * New upstream release, fixes CVE-2009-0217 (LP: #416802)
  * debian/build.xml: target 1.4 code to be java2-compatible

 -- Thierry Carrez <email address hidden> Fri, 21 Aug 2009 10:34:59 +0200

Changed in libxml-security-java (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers