1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1107195: python-signxml: CVE-2025-48994 CVE-2025-48995

    From Salvatore Bonaccorso@21:1/5 to All on Mon Jun 2 23:00:01 2025
    Source: python-signxml
    Version: 4.0.3+dfsg-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

    Hi,

    The following vulnerabilities were published for python-signxml.

    CVE-2025-48994[0]:
    | SignXML is an implementation of the W3C XML Signature standard in
    | Python. When verifying signatures with X509 certificate validation
    | turned off and HMAC shared secret set
    | (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`),
    | versions of SignXML prior to 4.0.4 are vulnerable to a potential
    | algorithm confusion attack. Unless the user explicitly limits the
    | expected signature algorithms using the
    | `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker
    | may supply a signature unexpectedly signed with a key other than the
    | provided HMAC key, using a different (asymmetric key) signature
    | algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes
    | the set of accepted signature algorithms to be restricted to HMAC
    | only, if not already restricted by the user.


    CVE-2025-48995[1]:
    | SignXML is an implementation of the W3C XML Signature standard in
    | Python. When verifying signatures with X509 certificate validation
    | turned off and HMAC shared secret set
    | (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`),
    | versions of SignXML prior to 4.0.4 are vulnerable to a potential
    | timing attack. The verifier may leak information about the correct
    | HMAC when comparing it with the user supplied hash, allowing users
    | to reconstruct the correct HMAC for any data.


    If you fix the vulnerabilities please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-48994
    https://www.cve.org/CVERecord?id=CVE-2025-48994
    https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4
    https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600
    [1] https://security-tracker.debian.org/tracker/CVE-2025-48995
    https://www.cve.org/CVERecord?id=CVE-2025-48995
    https://github.com/XML-Security/signxml/security/advisories/GHSA-gmhf-gg8w-jw42
    https://github.com/XML-Security/signxml/commit/1b501faaacf34cf978a52dbc6915ec11e27611cd

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Thu Jun 12 00:40:01 2025
    This is a multi-part message in MIME format...

    Your message dated Wed, 11 Jun 2025 22:34:36 +0000
    with message-id <[email protected]>
    and subject line Bug#1107195: fixed in python-signxml 4.0.5+dfsg-1
    has caused the Debian Bug report #1107195,
    regarding python-signxml: CVE-2025-48994 CVE-2025-48995
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
    immediately.)


    --
    1107195: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107195
    Debian Bug Tracking System
    Contact [email protected] with problems

    Received: (at submit) by bugs.debian.org; 2 Jun 2025 20:57:12 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    FVGT_m_MULTI_ODD,KHOP_HELO_FCRDNS,MD5_SHA1_SUM,PDS_RDNS_DYNAMIC_FP,
    RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
    RCVD_IN_VALIDITY_SAFE_BLOCKED,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=4.0.1-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 43; hammy, 150; neutral, 75; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
    0.000-+--H*M:reportbug
    Return-path: <[email protected]>
    Received: from c-82-192-244-13.cust