CVE-2009-3475
Published: 29 September 2009
Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Priority
Status
Package | Release | Status |
---|---|---|
opensaml Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Released
(1.1.1-2+lenny1build0.8.10.2)
|
|
jaunty |
Released
(1.1.1-2+lenny1build0.9.04.2)
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needs triage
|
|
shibboleth-sp Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Released
(1.3.1.dfsg1-3+lenny1build0.9.04.2)
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Released
(1.3.3, 2.2.1)
|
|
xmltooling Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Ignored
(end of life)
|
|
karmic |
Ignored
(end of life)
|
|
lucid |
Not vulnerable
(1.2.2-1)
|
|
maverick |
Not vulnerable
(1.2.2-1)
|
|
natty |
Not vulnerable
(1.2.2-1)
|
|
oneiric |
Not vulnerable
(1.2.2-1)
|
|
upstream |
Released
(1.2.2-1)
|