Your submission was sent successfully! Close

CVE-2009-3474

Published: 29 September 2009

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.

Priority

Low

Status

Package Release Status
opensaml
Launchpad, Ubuntu, Debian
Upstream
Released (2.2.1)
shibboleth-sp
Launchpad, Ubuntu, Debian
Upstream
Released (2.2.1)
xmltooling
Launchpad, Ubuntu, Debian
Upstream
Released (1.2.2-1)