Scott Cantor

**Name of the Vulnerable Software and Affected Versions** Shibboleth XMLTooling-C versions prior to 1.6.4 Shibboleth Service Provider versions prior to 2.6.1.4 on Windows **Description** The issue is related to the mishandling of digital signatures of user data, allowing remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. This is due to an incomplete fix for a previous issue. **Recommendations** For Shibboleth XMLTooling-C versions prior to 1.6.4, update to version 1.6.4 or later to resolve the issue. For Shibboleth Service Provider versions prior to 2.6.1.4 on Windows, update to version 2.6.1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** cURL versions 7.4 through 7.19.5 cURL version 7.19.6 and earlier **Description** The issue allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. This is due to the faulty handling of a '0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate when OpenSSL is used. The vulnerability can be exploited remotely, potentially leading to a breach of confidentiality, integrity, and availability of protected information. **Recommendations** For cURL versions 7.4 through 7.19.5, update to a version later than 7.19.5 to resolve the issue. For cURL version 7.19.6 and earlier, update to a version later than 7.19.6. As a temporary workaround, consider disabling the use of OpenSSL in cURL until a patch is available. Restrict access to SSL servers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XML Security Library versions prior to 1.2.12 Mono versions prior to 2.4.2.2 IBM WebSphere Application Server versions prior to 6.0.2.33, 6.1.0.23, and 7.0.0.1 Oracle Application Server versions 10.1.2.3, 10.1.3.4, and 10.1.4.3IM Oracle WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6 Microsoft .NET Framework versions 3.0 through 3.0 SP2, 3.5, and 4.0 Sun JDK and JRE Update 14 and earlier **Description** The vulnerability is related to the W3C XML Signature Syntax and Processing recommendation, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. This can lead to data tampering and disruption of protected information. The vulnerability can be exploited remotely. **Recommendations** For XML Security Library versions prior to 1.2.12, update to version 1.2.12 or later. For Mono versions prior to 2.4.2.2, update to version 2.4.2.2 or later. For IBM WebSphere Application Server versions prior to 6.0.2.33, 6.1.0.23, and 7.0.0.1, update to the latest version. For Oracle Application Server versions 10.1.2.3, 10.1.3.4, and 10.1.4.3IM, update to the latest version. For Oracle WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6, update to the latest version. For Microsoft .NET Framework versions 3.0 through 3.0 SP2, 3.5, and 4.0, update to the latest version. For Sun JDK and JRE Update 14 and earlier, update to the latest version. As a temporary workaround, consider restricting access to HMAC-based signature methods until a patch is available.