James Forshaw discovered that, in Apache Santuario XML Security for
Java, CanonicalizationMethod parameters were incorrectly validated:
by specifying an arbitrary weak canonicalization algorithm, an
attacker could spoof XML signatures.
For the stable distribution (wheezy), this problem has been fixed in
For the testing distribution (jessie), this problem has been fixed in
For the unstable distribution (sid), this problem has been fixed in
We recommend that you upgrade your libxml-security-java packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
Debian Security Advisory DSA-3065-1 [email protected]
https://www.debian.org/security/ Sebastien Delafond
November 06, 2014 https://www.debian.org/security/faq