Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:A7F1AD21A846A633B2D939FC737D1788:D0D4D
HistoryDec 08, 2009 - 3:08 a.m.

[Backports-security-announce] Security Update for Shibboleth packages

2009-12-0803:08:05
lists.debian.org
9

EPSS

0.003

Percentile

65.3%

JSON

Russ Allbery uploaded new packages for xmltooling, opensaml2,
shibboleth-sp2, and shibboleth-sp which fixed the following security
problems:

CVE-2009-3300

The Shibboleth software includes code to perform arbitrary
redirections and generates forms containing arbitrary destinations in
certain cases.  The URLs used were not properly checked for certain
kinds of cross-site scripting (XSS) attacks and are vulnerable to
script injection and some related vulnerabilities.

See http://shibboleth.internet2.edu/secadv/secadv_20091104.txt

The fix for the lenny-backports distribution requires updating all of
xmltooling, opensaml2, and shibboleth-sp2. The problems have been fixed
in xmltooling 1.3.1-1~bpo50+1, opensaml2 2.3-1~bpo50+2, and shibboleth-sp2
2.3+dfsg-1~bpo50+1.

For the unstable and testing distributions, the problems have been fixed
in xmltooling 1.3.1-1, opensaml2 2.3-1, and shibboleth-sp2 2.3+dfsg-1.

For the stable (lenny) distribution, the problems have been fixed in
opensaml2 2.0-2+lenny2 and shibboleth-sp2 2.0.dfsg1-4+lenny2. No update
to xmltooling is required for the stable distribution.

The older Shibboleth 1.x implementation which shipped with lenny and etch
is also affected. For the etch-backports distribution, the problems have
been fixed in shibboleth-sp 1.3.1.dfsg1-3+lenny2~bpo40+1.

For the stable (lenny) distribution, the problems have been fixed in
shibboleth-sp 1.3.1.dfsg1-3+lenny2.

For the oldstable (etch) distribution, the problems have been fixed in
1.3f.dfsg1-2+etch2.

Upgrade instructions

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.

We recommend to pin the backports repository to 200 so that new
versions of installed backports will be installed automatically.

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

[1] <http://backports.org/dokuwiki/doku.php?id=instructions&gt;


Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/&gt;

Related

openvas 4
ubuntucve 1
debiancve 1
cvelist 1
nvd 1
cve 1
prion 1
debian 1
nessus 1
openvas
openvas
Shibboleth Service Provider Multiple XSS Vulnerabilities - Windows
2009-11-13 00:00:00
Debian Security Advisory DSA 1947-1 (shibboleth-sp, shibboleth-sp2, opensaml2)
2009-12-14 00:00:00
Debian: Security Advisory (DSA-1947-1)
2009-12-14 00:00:00
ubuntucve
ubuntucve
CVE-2009-3300
2009-11-06 00:00:00
debiancve
debiancve
CVE-2009-3300
2009-11-06 15:30:00
cvelist
cvelist
CVE-2009-3300
2009-11-06 15:00:00
nvd
nvd
CVE-2009-3300
2009-11-06 15:30:00
cve
cve
CVE-2009-3300
2009-11-06 15:30:00
prion
prion
Cross site scripting
2009-11-06 15:30:00
debian
debian
[SECURITY] [DSA 1947-1] New Shibboleth packages fix cross-site scripting
2009-12-07 22:59:02
nessus
nessus
Debian DSA-1947-1 : shibboleth-sp, shibboleth-sp2, opensaml2 - missing input sanitising
2010-02-24 00:00:00

EPSS

0.003

Percentile

65.3%

JSON
Related for DEBIAN:A7F1AD21A846A633B2D939FC737D1788:D0D4D
openvas4ubuntucve1debiancve1cvelist1nvd1cve1prion1debian1nessus1