Bug Reported to xmlsec


This spring, Yanni Blier and Paul Bordin worked on Wombat to include support for XML Encryption stubs. This support has been included in Wombat 0.5.

They used their stub to test existing implementations, and found that the command line tool xmlsec1 exhibited a Bleichenbacher oracle. This is clearly not the end of the world, since the attacker needs to be able to submit encrypted files and get the errors back. We nevertheless reported the issue upstream.

More on this later...