Re: PR attack against XML Encryption

[Jan Lieskovsky <jlieskov () redhat com>]

Hi Florian,

  check with Juraj Somorovsky of the Ruhr University Bochum
for further details on this flaw.

Btw., the CVE identifier of CVE-2011-1096 has been already assigned
to this issue.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

On 10/20/2011 12:58 PM, Florian Weimer wrote:
> A German university has released a press release, alleging a
> vulnerability in the W3C XML Encryption standard.  Apparently, error
> reporting from existing implementations can be used as an oracle to
> recover information from messages encrypted in CBC mode.
>
> Details have not been published, as far as I know.  Does anybody know
> more?