Bug#555608: CVE-2009-3300
Giuseppe Iuculano
iuculano at debian.org
Tue Nov 10 12:38:44 UTC 2009
Package: shibboleth-sp2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for shibboleth-sp2.
CVE-2009-3300[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in the Identity
| Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the
| Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2
| Middleware Initiative Shibboleth allow remote attackers to inject
| arbitrary web script or HTML via URLs that are encountered in
| redirections, and appear in automatically generated forms.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3300
http://security-tracker.debian.org/tracker/CVE-2009-3300
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkr5XtEACgkQNxpp46476apFCACbBss6JYADgu8V21ve+ETiRWxR
udUAn2O3g+VpKRxIbSAT9/pFA/gL851Y
=K2dl
-----END PGP SIGNATURE-----
More information about the Pkg-shibboleth-devel
mailing list