Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-85-1 libxml-security-java

Debian Security Advisory

DLA-85-1 libxml-security-java -- LTS security update

Date Reported:

09 Nov 2014

Affected Packages:

libxml-security-java

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-2172.

More information:

James Forshaw discovered that, in Apache Santuario XML Security for Java, CanonicalizationMethod parameters were incorrectly validated: by specifying an arbitrary weak canonicalization algorithm, an attacker could spoof XML signatures.

For Debian 6 Squeeze, these issues have been fixed in libxml-security-java version 1.4.3-2+deb6u1