All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue. https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 http://www.openwall.com/lists/oss-security/2023/10/20/5
Created xml-security-c tracking bugs for this issue: Affects: epel-all [bug 2246071] Affects: fedora-all [bug 2246072]
Created xml-security-c tracking bugs for this issue: Affects: epel-all [bug 2260292] Affects: fedora-all [bug 2260293]
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:0712 https://access.redhat.com/errata/RHSA-2024:0712
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:0710 https://access.redhat.com/errata/RHSA-2024:0710
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:0711 https://access.redhat.com/errata/RHSA-2024:0711
This issue has been addressed in the following products: EAP 7.4.15 Via RHSA-2024:0714 https://access.redhat.com/errata/RHSA-2024:0714
This issue has been addressed in the following products: RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2) Via RHSA-2024:0789 https://access.redhat.com/errata/RHSA-2024:0789
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2024:0799 https://access.redhat.com/errata/RHSA-2024:0799
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2024:0800 https://access.redhat.com/errata/RHSA-2024:0800
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2024:0798 https://access.redhat.com/errata/RHSA-2024:0798
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:0801 https://access.redhat.com/errata/RHSA-2024:0801
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2024:0804 https://access.redhat.com/errata/RHSA-2024:0804
Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version.
This issue has been addressed in the following products: Red Hat build of Apache Camel 3.20.6 for Spring Boot Via RHSA-2024:3708 https://access.redhat.com/errata/RHSA-2024:3708