ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1658675 - in /webservices/website/wss4j: advisories/ advisories/CVE-2015-0226.txt.asc advisories/CVE-2015-0227.txt.asc index.html
Date Tue, 10 Feb 2015 11:06:27 GMT
Author: coheigea
Date: Tue Feb 10 11:06:27 2015
New Revision: 1658675

URL: http://svn.apache.org/r1658675
Log:
Adding new security advisories

Added:
    webservices/website/wss4j/advisories/
    webservices/website/wss4j/advisories/CVE-2015-0226.txt.asc
    webservices/website/wss4j/advisories/CVE-2015-0227.txt.asc
Modified:
    webservices/website/wss4j/index.html

Added: webservices/website/wss4j/advisories/CVE-2015-0226.txt.asc
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/advisories/CVE-2015-0226.txt.asc?rev=1658675&view=auto
==============================================================================
--- webservices/website/wss4j/advisories/CVE-2015-0226.txt.asc (added)
+++ webservices/website/wss4j/advisories/CVE-2015-0226.txt.asc Tue Feb 10 11:06:27 2015
@@ -0,0 +1,54 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2015-0226: Apache WSS4J is (still) vulnerable to Bleichenbacher's attack
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and
+2.0.2.
+
+Description:
+
+Apache WSS4J 1.6.5 contained a countermeasure for Bleichenbacher's attack on
+XML Encryption, where the PKCS#1 v1.5 Key Transport Algorithm is used to
+encrypt symmetric keys as part of WS-Security. In particular, the fix avoided
+leaking information on whether decryption failed when decrypting the encrypted
+key or decrypting the message data.
+
+However, it is still possible to craft a message such that an attacker can tell 
+where the decryption failure took place, and hence WSS4J is vulnerable to the
+original attack. 
+
+See here for more information on the original fix for WSS4J 1.6.5:
+
+http://cxf.apache.org/note-on-cve-2011-2487.html
+
+This has been fixed in revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1621329
+
+Migration:
+
+WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible.
+WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible.
+
+References: http://ws.apache.org/wss4j/security_advisories.html
+
+Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr
+University Bochum)
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAEBAgAGBQJU2dzUAAoJEGe/gLEK1TmD9g0H/iARiT79KnfLBwRCJqRNGS7u
+OvN/ZuqhtFMSqeS6l0AiY0uvTTvLuJOyNbEk+guU9K0IqwyBPpM/jQXILGyvBDx4
+MzlGn/ot26Dwcdw1v58KJuAxKh287Ht1FBEgL2fpT2/PJZWRptFVsXWPmfJdipcn
+SKlXkfZS9amgbh6CtZisW5iLrsDfbNK6rd40ZYr7lkB/bFMuCYi+bxKTgZE+/PS/
+BvTv2qYtpvFxLWhakXKE4ycLLR4SMh57MXkFecyQXh4ArhiDYOceVWS+VtzTVumm
+vZnLhwlCXEkgAJJcaq80OM+/bSbw/v+8kplsEcRLW21eW1i/Gg14TCsp+2T8x7o=
+=Qhzt
+-----END PGP SIGNATURE-----

Added: webservices/website/wss4j/advisories/CVE-2015-0227.txt.asc
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/advisories/CVE-2015-0227.txt.asc?rev=1658675&view=auto
==============================================================================
--- webservices/website/wss4j/advisories/CVE-2015-0227.txt.asc (added)
+++ webservices/website/wss4j/advisories/CVE-2015-0227.txt.asc Tue Feb 10 11:06:27 2015
@@ -0,0 +1,46 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2015-0227: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements
property
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache WSS4J prior to 1.6.17 and
+2.0.2.
+
+Description:
+
+Apache WSS4J has a "requireSignedEncryptedDataElements" boolean configuration
+property, which if set enforces that EncryptedData elements are in a signed
+subtree of the document. The default value of this property is "false". 
+However, it is possible to circumvent this setting by various types of
+wrapping attacks.
+
+This has been fixed in revision:
+
+http://svn.apache.org/viewvc?view=revision&revision=1619359
+
+Migration:
+
+WSS4J 1.6.x users should upgrade to 1.6.17 or later as soon as possible.
+WSS4J 2.0.x users should upgrade to 2.0.2 or later as soon as possible.
+
+References: http://ws.apache.org/wss4j/security_advisories.html
+
+Acknowledgments: Dennis Kupser, Christian Mainka, Juraj Somorovsky (Ruhr
+University Bochum)
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAEBAgAGBQJU2dzcAAoJEGe/gLEK1TmD+BgIALeCz42JQvRBMV2XF2W4/WdT
+7+ZSyJZM9vTOsy59FRDV2Njndsz+XL6CUbY2RtcEccir/rLHfE4pf/JLTVBZiYbr
+J8eOhvXFOyJ0BR/tLrliCohofsSmQCU/XBU7aYF1I7tlaJjehubw4/8DuPGLZz+b
+/og4t+2uSRujNf5Li8kxNGclx0hqpPFvEzMUGvq9+HPtPJaMLF3/b9+ns3VpfGP6
+ejq6kMNgiNiigoZCw3TXZ92hjuUsVSRdOQKtv0Lq0LVZ5+5HxMk5d9LZIpWjDP9L
+Li3lsXE0AxGr4NlIJF56MdaxqM9OJGBL7UaIjV0woHl9i7DhxwrBUJxF4lkX8uA=
+=gNWs
+-----END PGP SIGNATURE-----

Modified: webservices/website/wss4j/index.html
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/index.html?rev=1658675&r1=1658674&r2=1658675&view=diff
==============================================================================
--- webservices/website/wss4j/index.html (original)
+++ webservices/website/wss4j/index.html Tue Feb 10 11:06:27 2015
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-02-09 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-02-10 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
       @import url("./css/site.css");
     </style>
     <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
-    <meta name="Date-Revision-yyyymmdd" content="20150209" />
+    <meta name="Date-Revision-yyyymmdd" content="20150210" />
     <meta http-equiv="Content-Language" content="en" />
         
         </head>
@@ -30,7 +30,7 @@
             
                     
                 <div class="xleft">
-        <span id="publishDate">Last Published: 2015-02-09</span>
+        <span id="publishDate">Last Published: 2015-02-10</span>
                   &nbsp;| <span id="projectVersion">Version: 2.0.4-SNAPSHOT</span>
                       </div>
             <div class="xright">        
@@ -162,6 +162,16 @@ The Apache WSS4J team are pleased to ann
 Please see the <a class="externalLink" href="https://issues.apache.org/jira/browse/WSS/fixforversion/12328782">
 release notes</a> for more information.
 </p>
+
+<p><b>February 2015</b> - 
+Two new security advisories have been issued for Apache WSS4J, that are both
+fixed in 1.6.17 and 2.0.2.
+</p>
+
+<p>
+Please see the <a href="security_advisories.html">the security advisories</a>
+page for more information.
+</p>
 </li>
 </ul>
 </div>



Mime
View raw message