20785 2009-07-15 15:05:36 +0400 CVE-2009-0217 XML signature HMAC truncation authentication bypass 2011-09-10 10:52:20 +0400 1 1 4 Development Sisyphus libxmlsec1 unstable all Linux CLOSED WONTFIX http://www.kb.cert.org/vuls/id/466161 security P3 normal --- 1 crux george andy george mike qa-sisyphus oldest_to_newest 94691 0 crux 2009-07-15 15:05:36 +0400 XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2014. When HMAC truncation is under the control of an attacker, however, this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid. fixed in 1.2.12 125115 1 mike 2011-09-10 10:52:20 +0400 В сизифе такого пакета уже нет; последний бранч (с 1.2.10) -- 5.0: 4.0/SRPMS/xmlsec1-1.2.10-alt1.src.rpm 4.1/SRPMS/xmlsec1-1.2.10-alt1.src.rpm 5.0/SRPMS/xmlsec1-1.2.10-alt1.1.src.rpm