Debian Package Tracker
Register | Log in
Subscribe

python-signxml

Choose email to subscribe with

general
  • source: python-signxml (main)
  • version: 4.0.3+dfsg-1
  • maintainer: Ying-Chun Liu (PaulLiu) (DMD)
  • arch: all
  • std-ver: 4.7.0
  • VCS: unknown
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • testing: 4.0.3+dfsg-1
  • unstable: 4.0.3+dfsg-1
versioned links
  • 4.0.3+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • python-signxml-doc
  • python3-signxml
action needed
A new upstream version is available: 4.0.5 high
A new upstream version 4.0.5 is available, you should consider packaging it.
Created: 2025-06-03 Last update: 2025-06-09 12:30
2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:
  • CVE-2025-48994: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
  • CVE-2025-48995: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.
Created: 2025-06-02 Last update: 2025-06-03 06:32
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2025-48994: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with SignXML 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
  • CVE-2025-48995: SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.
Created: 2025-06-02 Last update: 2025-06-03 06:32
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2025-02-05 Last update: 2025-06-09 14:05
Multiarch hinter reports 1 issue(s) low
There are issues with the multiarch metadata for this package.
  • python-signxml-doc could be marked Multi-Arch: foreign
Created: 2025-01-18 Last update: 2025-06-09 14:06
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).
Created: 2025-02-21 Last update: 2025-02-27 13:25
news
[rss feed]
  • [2025-02-05] python-signxml 4.0.3+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2025-01-25] Accepted python-signxml 4.0.3+dfsg-1 (source) into unstable (Ying-Chun Liu (PaulLiu)) (signed by: Ying-Chun Liu)
  • [2025-01-17] Accepted python-signxml 4.0.2+dfsg-1 (source all) into unstable (Debian FTP Masters) (signed by: Ying-Chun Liu)
bugs [bug history graph]
  • all: 1
  • RC: 1
  • I&N: 0
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 4.0.3+dfsg-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing