cxf: multiple vulnerabilities

From the Fedora advisory:

A flaw was found in the way Apache CXF verifies that XML elements were signed or encrypted by a particular Supporting Token. CXF checks to ensure these elements are signed or encrypted by a Supporting Token, but not whether the correct token is used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially to circumvent access controls on web services exposed via CXF. (CVE-2012-2379)

A flaw was found in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side. In certain circumstances, this could lead a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure transmission of information. (CVE-2012-2378)

Apache CXF is vulnerable to SOAPAction spoofing attacks under certain conditions. If web services are exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451)