-
Bug
-
Resolution: Done
-
Critical
-
7.4.19.GA
Apps requiring a custom security provider may face an issue on 7.4.17+ if they depend on delayed provider selection. Security debug shows the delayed provider selection disabled by org.apache.xml.security.algorithms.implementations.SignatureBaseRSA:
Signature: Signature.init() not first method called, disabling delayed provider selection java.lang.Exception: Debug call trace at java.security.Signature$Delegate.chooseFirstProvider(Signature.java:1054) at java.security.Signature.getProvider(Signature.java:436) at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.<init>(SignatureBaseRSA.java:64) at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.<init>(SignatureBaseRSA.java:57) at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1.<init>(SignatureBaseRSA.java:207)
That is a result of this commit in santuario 2.3.4, which we upgraded to for CVE-2024-28752.
We need to backport this fix or upgrade to santuario 2.3.5+ when available. And we also need to backport this to fix the changed test case on JDK 8.
- is incorporated by
-
JBEAP-28587 (7.4.x) Upgrade Apache Santuario from 2.3.4.redhat-00002 to 2.3.5.redhat-00001
- Pull Request Sent