Debian: DSA-1896-1 Moderate: Shibboleth Remote Execution Threat
debian
September 28, 2009
Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x: Chris Ries discovered that decoding a crafted URL leads to a cra...
Summary
Several vulnerabilities have been discovered in the opensaml and
shibboleth-sp packages, as used by Shibboleth 1.x:
Chris Ries discovered that decoding a crafted URL leads to a crash
(and potentially, arbitrary code execution).
Ian Young discovered that embedded NUL characters in certificate names
were not correctly handled, exposing configurations using PKIX trust
validation to impersonation attacks.
Incorrect processing of SAML metadata ignored key usage constraints.
For the old stable distribution (etch), these problems have been fixed
in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and
version 1.1a-2+etch1 of the opensaml packages.
For the stable distribution (lenny), these problems have been fixed in
version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and
version 1.1.1-2+lenny1 of the opensaml packages.
The unstable distribution (sid) does not contain Shibboleth 1.x
packages.
This update requires restarting the affected services (mainly Apache)
to become effective.
We recomm...
PREVIOUS
NEXT
Package: opensaml, shibboleth-sp
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!