Bug#555608: CVE-2009-3300

Russ Allbery rra at debian.org
Tue Nov 10 19:14:49 UTC 2009

Giuseppe Iuculano <iuculano at debian.org> writes:

> the following CVE (Common Vulnerabilities & Exposures) id was
> published for shibboleth-sp2.

> CVE-2009-3300[0]:
> | Multiple cross-site scripting (XSS) vulnerabilities in the Identity
> | Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the
> | Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2
> | Middleware Initiative Shibboleth allow remote attackers to inject
> | arbitrary web script or HTML via URLs that are encountered in
> | redirections, and appear in automatically generated forms.

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

The first updated package is currently sitting in NEW (and has been for
some time).  The sid update requires updates to xmltooling, opensaml2, and
shibboleth-sp2 since the upstream solution also changes the library
SONAME.  That means xmltooling, opensaml2, and shibboleth-sp2 all have to
clear NEW to resolve this bug for unstable.  xmltooling has been uploaded.
I'm going to stage the packages in my personal repository until they can
get through NEW processing.

We're evaluating whether we can patch shibboleth-sp2 in stable without
changing the SONAME or requiring rebuilt versions of the supporting

shibboleth-sp in stable and oldstable is also affected, and I hope to work
on that soon.

Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list