Your message dated Wed, 11 Jun 2025 22:34:36 +0000
with message-id <e1upu1k-003cep...@fasolo.debian.org>
and subject line Bug#1107195: fixed in python-signxml 4.0.5+dfsg-1
has caused the Debian Bug report #1107195,
regarding python-signxml: CVE-2025-48994 CVE-2025-48995
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107195: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107195
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-signxml
Version: 4.0.3+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for python-signxml.
CVE-2025-48994[0]:
| SignXML is an implementation of the W3C XML Signature standard in
| Python. When verifying signatures with X509 certificate validation
| turned off and HMAC shared secret set
| (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`),
| versions of SignXML prior to 4.0.4 are vulnerable to a potential
| algorithm confusion attack. Unless the user explicitly limits the
| expected signature algorithms using the
| `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker
| may supply a signature unexpectedly signed with a key other than the
| provided HMAC key, using a different (asymmetric key) signature
| algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes
| the set of accepted signature algorithms to be restricted to HMAC
| only, if not already restricted by the user.
CVE-2025-48995[1]:
| SignXML is an implementation of the W3C XML Signature standard in
| Python. When verifying signatures with X509 certificate validation
| turned off and HMAC shared secret set
| (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`),
| versions of SignXML prior to 4.0.4 are vulnerable to a potential
| timing attack. The verifier may leak information about the correct
| HMAC when comparing it with the user supplied hash, allowing users
| to reconstruct the correct HMAC for any data.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48994
https://www.cve.org/CVERecord?id=CVE-2025-48994
https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4
https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600
[1] https://security-tracker.debian.org/tracker/CVE-2025-48995
https://www.cve.org/CVERecord?id=CVE-2025-48995
https://github.com/XML-Security/signxml/security/advisories/GHSA-gmhf-gg8w-jw42
https://github.com/XML-Security/signxml/commit/1b501faaacf34cf978a52dbc6915ec11e27611cd
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-signxml
Source-Version: 4.0.5+dfsg-1
Done: Ying-Chun Liu (PaulLiu) <paul...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-signxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ying-Chun Liu (PaulLiu) <paul...@debian.org> (supplier of updated
python-signxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Jun 2025 05:12:58 +0800
Source: python-signxml
Architecture: source
Version: 4.0.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Ying-Chun Liu (PaulLiu) <paul...@debian.org>
Changed-By: Ying-Chun Liu (PaulLiu) <paul...@debian.org>
Closes: 1107195
Changes:
python-signxml (4.0.5+dfsg-1) unstable; urgency=medium
.
* New upstream release.
- The upstream fixes CVE-2025-48994 and CVE-2025-48995 (Closes: #1107195)
* debian/control: Add pybuild-plugin-pyproject to Build-Depends to fix
PEP517 plugin
dependencies are not available. Please Build-Depend on
pybuild-plugin-pyproject.
- Also add pybuild-plugin-pyproject, python3-hatch-vcs and
python3-hatchling.
Checksums-Sha1:
ee627a4fc00918164b6600f3b0dee6404f7452f3 2242 python-signxml_4.0.5+dfsg-1.dsc
08d93b0f1a60d054661f18c766d6edc0a18a4dae 1383700
python-signxml_4.0.5+dfsg.orig.tar.xz
04e6d875789b73b08b021a320c0785721c5a4ee2 8732
python-signxml_4.0.5+dfsg-1.debian.tar.xz
89cc51c3f4d29890100b2f0390d4a98ad73b9fe9 9294
python-signxml_4.0.5+dfsg-1_source.buildinfo
Checksums-Sha256:
889b71f4671b17516974ce6c9a26004c3a505a39cb2fbc1526f05db8bb1b97cc 2242
python-signxml_4.0.5+dfsg-1.dsc
9349f81ad8457bd1dca2d6ec3c78ea7fe48584f8b5008e9529390528837bb7de 1383700
python-signxml_4.0.5+dfsg.orig.tar.xz
5568fc93a75b12de1ca2d2f2646818003dead006babe2a9fa72ff54e72976372 8732
python-signxml_4.0.5+dfsg-1.debian.tar.xz
468a9dbc48bbc89c4ce32920d2856a161b2c998a959a1e2b653aa7890b3ec01d 9294
python-signxml_4.0.5+dfsg-1_source.buildinfo
Files:
cc2c3400d6a33872796e64c61de72a18 2242 python optional
python-signxml_4.0.5+dfsg-1.dsc
67e460c2bb4983235bea7c50c26c6672 1383700 python optional
python-signxml_4.0.5+dfsg.orig.tar.xz
3b84f0ac7f9567d91a2bf5eaef5f1705 8732 python optional
python-signxml_4.0.5+dfsg-1.debian.tar.xz
452cd5cc3d2d3ec8ea2e7ac0b1d3974e 9294 python optional
python-signxml_4.0.5+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEo2h49GQQhoFgDLZIRBc/oT0FiIgFAmhJ/zATHHBhdWxsaXVA
ZGViaWFuLm9yZwAKCRBEFz+hPQWIiNNvEACGtc4LRl/uobnlxSWD7QvBW659Bmms
kc5xBsDbpD4ehEf9NTgxleWWNe42xzbsV+NkYBm0wsip2OgX0lAuWrW89YYSTDQO
2fsa6oc3ZO8DDybDwLXAIX1trX0jYWbDTZHzc1XJmFhWXJICsVtJvQpQW6TjjgBx
XvC+vC6yEI4XaK13Tg6aEV5r8qLbg/uKjSDu8tSkOovgKQWUx0P8VRyR1vjsxboZ
XkdyXHFeOiKNh0lv7PYEWIgt3OVcFDhPCHP4VOd/CXabTR3XGVDrjGbsB65JANm2
ggWM/VHzFhKgRty5hvqibB135wsz7U7TOiUQUebuor+dMEPjXI2zzbIYrmiHkFJe
x9I+cJ/q4hxqvVu5w/uE+hyHQ3DW8hw6H1TfhH1+h3t0daw9ILVXipLh2R6jWzPM
DsQBKd2iqYoHSm6hyxhhM9yktnHJSJYNe8fo8/HWg7uKQbegF38xFCtm3tRzI2jc
CzdpMa2hF2zBvbrNtNdkLuVjBo9DYDLF/oKKyIZdorGDhsMkVXHGKuJZjVqAM3ly
YAPoPnEsdGlML/RVBn6gs7T6HynJQg9iO8klxWr3ayTWKgb/3Ncaa9J3VksQbm30
kdlJR8hgXHGxX9UWIpqf6Us0VPCcQ22bbfs5Af8yOmJTxq5mp4m3fJw90Z+Ui89K
6xiu9421WAdb3Q==
=c2R7
-----END PGP SIGNATURE-----
pgpNRaKQjbsy6.pgp
Description: PGP signature
--- End Message ---
