CVE-2009-3300

Name	CVE-2009-3300
Description	Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1947-1
Debian Bugs	555608

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
shibboleth-sp (PTS)	buster, buster (security)	3.0.4+dfsg1-1+deb10u2	fixed
	bullseye	3.2.2+dfsg1-1	fixed
	trixie, bookworm	3.4.1+dfsg-2	fixed
	sid	3.4.1+dfsg-2.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
opensaml2	source	lenny	2.0-2+lenny2		DSA-1947-1
opensaml2	source	(unstable)	2.3-1	medium
shibboleth-sp	source	etch	1.3f.dfsg1-2+etch2		DSA-1947-1
shibboleth-sp	source	lenny	1.3.1.dfsg1-3+lenny2		DSA-1947-1
shibboleth-sp	source	(unstable)	3.0.2+dfsg1-2	medium
shibboleth-sp2	source	lenny	2.0.dfsg1-4+lenny2		DSA-1947-1
shibboleth-sp2	source	(unstable)	2.3+dfsg-1	medium		555608

xmltooling also needs to be updated, changed in sid in 1.3.1-1