Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies.
http://www.securityfocus.com/bid/53880
http://svn.apache.org/viewvc?view=revision&revision=1337150
http://secunia.com/advisories/51607
http://rhn.redhat.com/errata/RHSA-2012-1594.html
http://rhn.redhat.com/errata/RHSA-2012-1592.html