| <?xml version="1.0" encoding="ISO-8859-1"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <document> |
| <body> |
| <section name="Security Advisories"> |
| <p> |
| The following security advisories have been issued for Apache WSS4J™: |
| <ul> |
| <li><b>2015</b></li> |
| <ul> |
| <li><a href="advisories/CVE-2015-0226.txt.asc">CVE-2015-0226</a> - Apache |
| WSS4J is (still) vulnerable to Bleichenbacher's attack.</li> |
| <li><a href="advisories/CVE-2015-0227.txt.asc">CVE-2015-0227</a> - Apache |
| WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements |
| property</li> |
| </ul> |
| </ul> |
| </p> |
| <p> |
| As Apache WSS4J is a library that provides WS-Security functionality to web |
| service stacks such as Apache CXF and Apache Axis, security issues associated |
| with WS-Security tend to be reported to these downstream projects. Therefore |
| the best way to keep an eye on security issues involving WSS4J is to look at |
| the security advisories pages of these projects. |
| </p> |
| <p> |
| The security advisory page for Apache CXF is <a href="http://cxf.apache.org/security-advisories.html">here</a>. In particular, the following security |
| advisories are relevant to users of WSS4J: |
| </p> |
| <ul> |
| <li><a href="http://cxf.apache.org/cve-2012-5575.html">Note on CVE-2012-5575</a> - XML Encryption backwards compatibility attack on Apache CXF.</li> |
| <li><a href="http://cxf.apache.org/note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in WS-Security.</li> |
| <li><a href="http://cxf.apache.org/note-on-cve-2011-1096.html">Note on CVE-2011-1096</a> - XML Encryption flaw / Character pattern encoding attack.</li> |
| </ul> |
| |
| </section> |
| </body> |
| </document> |