-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-8152: Streaming XML Signature verification failure

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all 2.0.x versions of Apache Santuario XML Security
for Java until 2.0.3. It does not affect 1.4.x or 1.5.x.

Description:

The 2.0.x series of releases of the Apache Santuario XML Security for Java
library introduced support for streaming (StAX-based) XML Signature and 
Encryption. 

For certain XML documents, it is possible to modify the document and the
streaming XML Signature verification code will not report an error when trying
to validate the signature.

Please note that the "in-memory" (DOM) API for XML Signature is not affected
by this issue, nor is the JSR-105 API. Also, web service stacks that use the
streaming functionality of Apache Santuario (such as Apache CXF/WSS4J) are also
not affected by this vulnerability.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1634334

Migration:

This issue does not affect 1.5.x users.
2.0.x users should upgrade to 2.0.3 as soon as possible.

Credit: This issue was reported by Jaime Pallarés Rel, Software Development
Director at Logalty

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUrrwJAAoJEGe/gLEK1TmDSg4H/Rcb0ZYuFdfzAFdPJ3ro3T0B
AljyrquaqvzPh55KVXzl7KWtzalYGC0+ME6iuVWhD1E/Ah9U7Oa8AMy9F+cxg/5M
iWaHpxwH9ir09quuxQkd1Ng6FI+chjilYmqs0RpMTs+YIKLaul31BqbawYvkw6P4
7v5mh5FiY0I2ghqqci2OuQyBauXYj9cTYURZWCxmWLAd2cCOYojXQUte2neLHYDi
/m6YIfE1Nyxpyb6/mNM0SD2PO238N2ekDlCgM9kwVqnIGGclUacbFuCg+JC1++pH
/VrFKYqjZcgcnAYOLIuSdYXSp9n859+0FEg7vI/6UkfMMjnpfE4qpNd8J7dOIhI=
=DvCI
-----END PGP SIGNATURE-----