...
None of the following child policies of a WS-SecurityPolicy 1.1
(.*)SupportingToken policy are picked up on the client side:
- AlgorithmSuite
- SignedParts
- SignedElements
- EncryptedParts
- EncryptedElements
Note that all of these policies are picked up on the client side in the most
common use-cases, for example when an AlgorithmSuite is specified under a
security binding, or when a SignedParts Element is specified per-operation or
per-binding. They only do not apply when a SupportingToken is used to sign
or encrypt some part or element, for example:
...
This has been fixed in revision:
http://svn.apache.org/viewvc?view=revision&revision=1337150
The versions that are affected are CXF 2.4.5 to 2.4.7, CXF 2.5.1 to 2.5.3, and
CXF 2.6.0. The vulnerability does not exist in CXF 2.3.10, CXF 2.4.4 or 2.5.0.
...
CXF 2.4.5 to 2.4.7 users should upgrade to 2.4.8 as soon as possible.
CXF 2.5.1 to 2.5.3 users should upgrade to 2.5.4 as soon as possible.
CXF 2.6.0 users should upgrade to 2.6.1 as soon as possible.
References: http://cxf.apache.org/security-advisories.html
----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)
...