-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2013-2156: Apache Santuario XML Security for C++ contains heap overflow while processing InclusiveNamespace PrefixList Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Santuario XML Security for C++ library versions prior to V1.7.1 Description: A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. If verification of the signature occurs prior to actual evaluation of a signing key, this could be exploited by an unauthenticated attacker. Mitigation: Applications using library versions older than V1.7.1 should upgrade as soon as possible. Distributors of older versions should apply the patches from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=1493961 Applications that prevent the use of Exclusive Canonicalization through the examination of signature content prior to verification are immune to this issue. Credit: This issue was reported by James Forshaw, Context Information Security References: http://santuario.apache.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQIcBAEBCgAGBQJRv5RVAAoJEDeLhFQCJ3lik6UP/jBeDwbmEIiTCZ0VrZll0IvF w8AnEw+5e3pdVVi7F+dS6FkbgL3dnklkWzIk5KT2slhuJ9Is+LHXCShdlBLOC1v5 Vv3in185YO+VH4dTb5y4hVyeZ1I+eQQA6yCvuSfUSRja7LKjDIK1KIcF9DbH+p+u YoRlKUaqKlTBAJGekZwLCgPS7r7z/TBYNRhn5LEg4MKrLhopUjiXZT838h+LRko7 PgoYaq9z5KHJjhTP0OdBR8CiIPECf5Ewsjy2PORGeQ67IvtcLm4nWEa+XwUiH5Iv sfQowtYtkkn1Utpfj+jiyknMlQKtVMmgEWk1a/DtzKBQYZ9SegIDNH6JFJTE+cYt PQuOv7P3w73gotCsuK7pnCWCwK4iIBdp6tvculdXbrWl5RpR/xBOiNnkIKvu3gR3 pfQVl71+APswrSsCnrFNt4sWpYVhBwZtCMAI8LfJVswO0vy87S2H2tguLXXHz03s eJ5c/UjNGP2JlXigsWYi3jmqQtotiQCpVy+WQF3WI+0t4N4IfYaUGv/2z+mQXY8q DVtINxoUqjWACc1Vp+G+ISFaunOH/Q9S0ejb2kHeE+BLtbIlVvQRdhJtXuBuOVt8 q/gSUV+Iiu4o5Sg8DAjmRpDeTJ8wXfSuQwtcYhIZ+kbie6MiJjWOOV2gVbrZL16m 077pIfbZ/6I12+KyYsK8 =I064 -----END PGP SIGNATURE-----