pom.xml | 5 5 + 0 - 0 !
src/main/java/org/apache/ws/security/WSSConfig.java | 6 6 + 0 - 0 !
src/main/java/org/apache/ws/security/WSSecurityEngineResult.java | 3 2 + 1 - 0 !
src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java | 4 2 + 2 - 0 !
src/main/java/org/apache/ws/security/processor/UsernameTokenProcessor.java | 4 2 + 2 - 0 !
src/main/java/org/apache/ws/security/str/BSPEnforcer.java | 3 2 + 1 - 0 !
src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java | 5 2 + 3 - 0 !
src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java | 8 4 + 4 - 0 !
src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java | 10 6 + 4 - 0 !
src/main/java/org/apache/ws/security/str/SignatureSTRParser.java | 15 10 + 5 - 0 !
src/main/java/org/apache/ws/security/validate/Credential.java | 11 8 + 3 - 0 !
11 files changed, 49 insertions(+), 25 deletions(-)

 saml is not packaged in debian yet (rfp #656541).
 This patch disables the compilation of the SAML related code.

src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java | 2 1 + 1 - 0 !
src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java | 2 1 + 1 - 0 !
src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java | 2 1 + 1 - 0 !
src/main/java/org/apache/ws/security/util/WSSecurityUtil.java | 66 24 + 42 - 0 !
4 files changed, 27 insertions(+), 45 deletions(-)

 fix cve-2015-0227: wss4j is still vulnerable to bleichenbacher's attack (incomplete fix for cve-2011-2487)

src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java | 15 12 + 3 - 0 !
1 file changed, 12 insertions(+), 3 deletions(-)

 fix cve-2015-0226: wss4j doesn't correctly enforce the requiresignedencrypteddataelements property