python-signxml - Debian Package Tracker

general

source: python-signxml (main)
version: 4.0.3+dfsg-1
maintainer: Ying-Chun Liu (PaulLiu) (DMD)
arch: all
std-ver: 4.7.0
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

testing: 4.0.3+dfsg-1
unstable: 4.0.3+dfsg-1

versioned links

4.0.3+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python-signxml-doc
python3-signxml

action needed

A new upstream version is available: 4.0.5 high

A new upstream version 4.0.5 is available, you should consider packaging it.

Created: 2025-06-03 Last update: 2025-06-09 12:30

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2025-48994: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
CVE-2025-48995: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.

Created: 2025-06-02 Last update: 2025-06-03 06:32

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-48994: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
CVE-2025-48995: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.

Created: 2025-06-02 Last update: 2025-06-03 06:32

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-02-05 Last update: 2025-06-09 14:05

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

python-signxml-doc could be marked Multi-Arch: foreign

Created: 2025-01-18 Last update: 2025-06-09 14:06

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-02-05] python-signxml 4.0.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-01-25] Accepted python-signxml 4.0.3+dfsg-1 (source) into unstable (Ying-Chun Liu (PaulLiu)) (signed by: Ying-Chun Liu)
[2025-01-17] Accepted python-signxml 4.0.2+dfsg-1 (source all) into unstable (Debian FTP Masters) (signed by: Ying-Chun Liu)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.0.3+dfsg-1