Lucene search
GoogleOSV:DSA-1895-2HistorySep 24, 2009 - 12:00 a.m.
opensaml2, shibboleth-sp2 - interpretation conflict
2009-09-2400:00:00
Google
osv.dev
6
0.035 Low
EPSS
Percentile
91.5%
Several vulnerabilities have been discovered in the xmltooling packages,
as used by Shibboleth:
- Chris Ries discovered that decoding a crafted URL leads to a crash (and
potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names
were not correctly handled, exposing configurations using PKIX trust
validation to impersonation attacks. - Incorrect processing of SAML metadata ignores key usage constraints.
This minor issue also needs a correction in the opensaml2 packages,
which will be provided in an upcoming stable point release (and,
before that, via stable-proposed-updates).
For the stable distribution (lenny), these problems have been fixed in
version 1.0-2+lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 1.2.2-1.
We recommend that you upgrade your xmltooling packages.
| CPE | Name | Operator | Version |
|---|---|---|---|
| shibboleth-sp2 | eq | 2.0.dfsg1-4 |
References
Related
osv
osv
xmltooling - potential code execution
2009-09-24 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-1895-2)
2009-10-19 00:00:00
Debian: Security Advisory (DSA-1896-1)
2009-10-06 00:00:00
Debian: Security Advisory (DSA-1895-1)
2009-09-28 00:00:00
nessus
nessus
Debian DSA-1896-1 : opensaml, shibboleth-sp - several vulnerabilities
2010-02-24 00:00:00
Debian DSA-1895-1 : xmltooling - several vulnerabilities
2010-02-24 00:00:00
nvd
nvd
cve
cve
ubuntucve
ubuntucve
debiancve
debiancve
prion
prion
Code injection
2009-09-29 23:30:00
Buffer overflow
2009-09-29 23:30:00
Design/Logic Flaw
2009-09-29 23:30:00
cvelist
cvelist