This spring, Yanni Blier and Paul Bordin worked on Wombat to include support for XML Encryption stubs. This support has been included in Wombat 0.5.
They used their stub to test existing implementations, and found that
the command line tool
xmlsec1 exhibited a Bleichenbacher
oracle. This is clearly not the end of the world, since the attacker
needs to be able to submit encrypted files and get the errors back.
reported the issue
More on this later...