Red Hat Security Advisory 2013-1218-01 - Apache Santuario implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards. A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially-crafted XML signature block.
86c9f0a10099718fdb23e425ee225470603c1c725723f459d41aede2928769fd