Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side. Apache CXF versions 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.0 are affected.
9192946a363a63b454cdbfe47e3d089546ef6e6058eec8ac012d7080b7e47be8