-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2013-2172: Java XML Signature spoofing attack.

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all released versions of Apache Santuario XML
Security for Java.

Description:

XML Signatures contain a "CanonicalizationMethod" parameter, which specifies
a canonicalization algorithm to apply to the SignedInfo part of the Signature. 
Using the fact that the Apache Santuario XML Security for Java implementation
of XML Signature allows arbitrary algorithms to be specified for this
parameter, it is possible to mount a spoofing attack on a XML Signature. The
fix is that only standard canonicalization algorithms will be allowed for the
CanonicalizationMethod parameter from now on.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1493772

Migration:

1.4.x users should upgrade to 1.4.8 as soon as possible.
1.5.x users should upgrade to 1.5.5 as soon as possible.

Credit: This issue was reported by James Forshaw, Context Information Security

References: http://santuario.apache.org/secadv.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRyWEWAAoJEGe/gLEK1TmD4+sH/RD8fRr0TqPEnPBTddws4Hfh
Iwemxsdnf9h6NZDzw1hbkRqFeEw6VfpNtAlVSsV1Jl2a6TWAkZn+HoMNF5CnJhbd
4ckvgKC5d71bDk6gqFG/WGsGN0vV5xBiVbOxOa01inlfY5s19c3KlUzyI/FzNe0C
i7IENQ0o8FVoyG4pU6lH3TETULl6pUFsxwvZoN5zQ/SihwkwTve8wl4YFzRA0lgd
m34RL3OOxddF+XC5a+Udea9WI6oC6SlLT432otuUUFPOUahg6o7qcpbikykfUU1V
6OqxNpvuLM+UlhB2P/79inYx92ChwRt2J+ohxZ+zJoEkvd+JrZOvUldpl98ysMs=
=AZ4x
-----END PGP SIGNATURE-----