Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0217 to the following vulnerability: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217 http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html http://www.kb.cert.org/vuls/id/466161 http://secunia.com/advisories/35855/2/ https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 http://www.w3.org/2008/06/xmldsigcore-errata.html#e03 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html References from US-CERT's VU#466161: ------------------------------------- http://www.w3.org/2008/06/xmldsigcore-errata.html#e03 http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html http://www.rsa.com/blog/blog_entry.aspx?id=1492 http://www.w3.org/TR/xmldsig-core/ http://www.w3.org/TR/xmldsig-core/#sec-HMAC http://tools.ietf.org/html/rfc2104#section-5 http://www.oasis-open.org/specs/index.php#wss http://www.w3.org/2000/xp/Group/ http://msdn.microsoft.com/en-us/library/ms996502.aspx http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925 http://santuario.apache.org/download.html http://www.mono-project.com/Vulnerabilities http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html http://www.aleksey.com/xmlsec/downloads.html Credit: ------- Thomas Roessler of the W3C
Patch and reproducer for Apache XML Security (Java): http://svn.apache.org/viewvc?view=rev&revision=794013
xml-security project has released version 1.5.1 of it's C library. I have updated the xml-security-c package in rawhide. If koji build is successful on all platforms I'll upgrade it on older branches as well.
xml-security-c-1.5.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
xml-security-c-1.5.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
xml-security-c-1.5.1-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 355945 [details] patch from debian's 1.2.1-3+etch1 release (DSA-1849-1)
Created attachment 355946 [details] patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1)
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Upstream xmlsec1 commit by Aleksey Sanin: http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7 And relevant patch: http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
Hello Paul, i can see rawhide Mono update: http://koji.fedoraproject.org/koji/buildinfo?buildID=114947 fixing CVE-2009-0217, but no relevant F10, F11, EPEL Mono updates addressing this issue. Could you schedule them - either apply the fix or upgrade to latest Mono upstream version also for F10, F11 and EPEL-5? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
xmlsec1-1.2.12-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc11
xmlsec1-1.2.12-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc10
xmlsec1-1.2.12-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
xmlsec1-1.2.12-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1428 https://rhn.redhat.com/errata/RHSA-2009-1428.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1694 https://rhn.redhat.com/errata/RHSA-2009-1694.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.3 Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html
Created xml-security-c tracking bugs for this issue Affects: fedora-rawhide [bug 513078]
Created mono tracking bugs for this issue Affects: epel-5 [bug 694167]
*** Bug 715014 has been marked as a duplicate of this bug. ***
*** Bug 715020 has been marked as a duplicate of this bug. ***