-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2011-2516: Apache Santuario XML Security for C++ contains buffer
overflows signing or verifying with large keys.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Santuario XML Security for C++ library versions
prior to V1.6.1

Description: A buffer overflow exists when creating or verifying XML
signatures with RSA keys of sizes on the order of 8192 or more bits.
This typically results in a crash and denial of service in applications
that verify signatures using keys that could be supplied by an attacker.

Mitigation: Applications using library versions older than V1.6.1 should
upgrade as soon as possible. Distributors of older versions should apply the
patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1125752

Applications that can prevent the use of arbitrary keys supplied by an
attacker (such as within the ds:KeyInfo element of a signature), or limit key
sizes, may prevent the exploitation of this bug.

Credit: This issue was reported by Paulo Zanoni.

References: http://santuario.apache.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQIVAwUBUa4JCTeLhFQCJ3liAQoNTA//cfKcq9s6vETpOrnzBzXn3BOwdmWFlNS6
AMUKBF0D4Xwa3ITGHrxtkxyk+XP0pTWsxrCzxEfbKJNJnjEoNfJmg1K9J726parG
ajmBgnt6X6g/r7yUgsjZze2wsj2C57u3VsOG3uCOASAbpP56ySzpzVspM+xmdP7N
aBeKNJJCJdgv1dE6TdQytO8GdaMxNu156HvKktOWvt97OHgDZK+XfIrGtqWZULsN
ZgnIYVgGKupgrA+28AVh61GWpr1wZMfYYPLGcPq4DS+XI9T533FpshUmiqj1GbRz
kSc7/8IPCVbBy0y8GgD9r/pZ0uQ0j9t1RtdcYvymnYwY70TnKDeJ+LRoU3CXxMWI
9XnDZ6rvUoL0G+UMsLjeaEJkJ86BHdn8C8hdYdTZktqsFeTInQeAERunGWcnnkDD
fLohD5dSBF0hg2YT1f1PGL0ash5C84JN57f2Xy7L2HNqhtNGnatz0JAuno4L2JQ3
l1xYeFQr8objkFkiTMGtmINiKbXRjlR2RhsB1RCXOAksXNDaS4Z9EQ4+4KhvZP1k
FQrgdPxK+ZawB3wQfuhXN4W2UXxtgs275ziig0QUYTptsq4DjbMRYguEvJhTcU6k
xoV6AiRc8SVT5hv6GOxRK7fBoqvWJqZ/YrSjt9fT98ai87z8+5UY0P4/yvv2Iobn
4gc2PdE8oQk=
=ULl5
-----END PGP SIGNATURE-----