New security vulnerabilities in Apache CXF

Two new security vulnerabilities have been announced in Apache CXF. Those of you using WS-SecurityPolicy should read the announcements carefully to make sure that you are not affected. If these vulnerabilities apply to your deployment then you should upgrade to a more recent version of CXF that contains fixes for these vulnerabilities. The issues in question are:

• CVE-2012-2378 - Apache CXF does not pick up some child policies of
  WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client
  side.
• CVE-2012-2379 - Apache CXF does not verify that elements were
  signed or encrypted by a particular Supporting Token.