CVE-2009-3475
Published: 29 September 2009
Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
opensaml Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Released
(1.1.1-2+lenny1build0.8.10.2)
|
|
| jaunty |
Released
(1.1.1-2+lenny1build0.9.04.2)
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
shibboleth-sp Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Released
(1.3.1.dfsg1-3+lenny1build0.9.04.2)
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Released
(1.3.3, 2.2.1)
|
|
|
xmltooling Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Ignored
(end of life)
|
|
| karmic |
Ignored
(end of life)
|
|
| lucid |
Not vulnerable
(1.2.2-1)
|
|
| maverick |
Not vulnerable
(1.2.2-1)
|
|
| natty |
Not vulnerable
(1.2.2-1)
|
|
| oneiric |
Not vulnerable
(1.2.2-1)
|
|
| upstream |
Released
(1.2.2-1)
|