Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 277873

Summary: [java overlay] dev-java/xml-security XML signature HMAC truncation authentication bypass (CVE-2009-0217)
Product: Gentoo Linux Reporter: Robert Buchholz (RETIRED) <rbu>
Component: [OLD] JavaAssignee: Java team <java>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://svn.apache.org/viewvc?view=rev&revision=794013
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 277872    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 00:48:01 UTC 
+++ This bug was initially created as a clone of Bug #277872 +++

Please see the blocker for vulnerability details.

Upstram Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Patch: http://svn.apache.org/viewvc?view=rev&revision=794013

It seems they disallow HMAC truncation completely, so this is a sufficient patch for the vulnerability.

Note that since the ebuild is in an overlay, the Security Team will not be tracking this issue via our usual procedures. This is a regular Java herd bug.
Comment 1 Patrice Clement gentoo-dev 2015-10-23 18:56:16 UTC 
commit ac609fa (HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Fri Oct 23 18:53:16 2015 +0000

    dev-java/xml-security: Moved to Portage a while ago. Removing from overlay. Fixes bug 277873.
    
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 delete mode 100644 dev-java/xml-security/Manifest
 delete mode 100644 dev-java/xml-security/metadata.xml
 delete mode 100644 dev-java/xml-security/xml-security-1.3.0.ebuild

No reason to keep it as it already exists in Portage under dev-java/xml-security and we package an up to date version.