DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
...
Another attack has emerged on the XML Encryption standard, as described by
the security advisory CVE-2011-2487:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2487
Tibor Jager, Sebastian Schinzel and Juraj Somorovsky have published a paper
that describes a number of attacks on the PKCS#1 v1.5 Key Transport Algorithm,
used to encrypt symmetric keys as part of WS-Security. One of these attacks
exploits the fact that WSS4J can leak information about where a particular
decryption operation fails. This bug has been fixed in WSS4J 1.6.5, where a
new symmetric key is generated if the decryption of the encrypted key fails.
In this way it is not possible for an attacker to find out whether a decryption
failure was due to the failure of decrypting the key or the data.
...