Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 277873 - [java overlay] dev-java/xml-security XML signature HMAC truncation authentication bypass (CVE-2009-0217)
Summary: [java overlay] dev-java/xml-security XML signature HMAC truncation authentica...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Java (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Java team
URL: http://svn.apache.org/viewvc?view=rev...
Whiteboard:
Keywords:
Depends on: CVE-2009-0217
Blocks:
  Show dependency tree
 
Reported: 2009-07-15 00:48 UTC by Robert Buchholz (RETIRED)
Modified: 2015-10-23 18:56 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 00:48:01 UTC
+++ This bug was initially created as a clone of Bug #277872 +++

Please see the blocker for vulnerability details.

Upstram Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Patch: http://svn.apache.org/viewvc?view=rev&revision=794013

It seems they disallow HMAC truncation completely, so this is a sufficient patch for the vulnerability.

Note that since the ebuild is in an overlay, the Security Team will not be tracking this issue via our usual procedures. This is a regular Java herd bug.
Comment 1 Patrice Clement gentoo-dev 2015-10-23 18:56:16 UTC
commit ac609fa (HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Fri Oct 23 18:53:16 2015 +0000

    dev-java/xml-security: Moved to Portage a while ago. Removing from overlay. Fixes bug 277873.
    
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 delete mode 100644 dev-java/xml-security/Manifest
 delete mode 100644 dev-java/xml-security/metadata.xml
 delete mode 100644 dev-java/xml-security/xml-security-1.3.0.ebuild

No reason to keep it as it already exists in Portage under dev-java/xml-security and we package an up to date version.