Red Hat Security Advisory 2014-0400-03 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Security fixes: A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
59fb89a523cbebe70f311b3e2011f6b31d5456d35c7cb4af096d9f8a7b46823e
Red Hat Security Advisory 2014-0401-02 - Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements.
884c2290b52cd9e01634db919d477a8981b15a764efe9bb37401b8a31a1d82ba
Debian Linux Security Advisory 2890-1 - Two vulnerabilities were discovered in libspring-java, the Debian package for the Java Spring framework.
27f9ee57599c732f28379d5fd74abab6f97c737a3bcf24f10c2f7392d21aa918
Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. Versions 3.0.0 through 3.2.8 and 4.0.0 through 4.0.1 are affected.
99a8ad7c850c897b9d19d09b3e771b91512dc689e5f940a3f5f0bfee478e8189