Debian Security Advisory DSA 3065-1 (libxml-security-java - Security Update) Network Vulnerability

Summary

James Forshaw discovered that, in Apache Santuario XML Security for Java, CanonicalizationMethod parameters were incorrectly validated: by specifying an arbitrary weak canonicalization algorithm, an attacker could spoof XML signatures.

Solution

For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.5.5-2. For the unstable distribution (sid), this problem has been fixed in version 1.5.5-2. We recommend that you upgrade your libxml-security-java packages.

Insight

Apache Santuario supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the Java library supports the standard Java API JSR-105: XML Digital Signature APIs.

Affected

libxml-security-java on Debian Linux

Detection

This check tests the installed software version using the apt package manager.

References

http://www.debian.org/security/2014/dsa-3065.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-2172

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Debian Security Advisory DSA 3065-1 (libxml-security-java - security update)

Take action and discover your vulnerabilities