CVE-2009-3474

Name	CVE-2009-3474
Description	OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1895-1, DSA-1895-2, DSA-1896-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
opensaml (PTS)	buster	3.0.1-1	fixed
	bullseye	3.2.0-2	fixed
	bookworm	3.2.1-3	fixed
	trixie	3.2.1-4	fixed
	sid	3.2.1-4.1	fixed
shibboleth-sp (PTS)	buster, buster (security)	3.0.4+dfsg1-1+deb10u2	fixed
	bullseye	3.2.2+dfsg1-1	fixed
	bookworm, trixie	3.4.1+dfsg-2	fixed
	sid	3.4.1+dfsg-2.1	fixed
xmltooling (PTS)	buster	3.0.4-1+deb10u1	fixed
	buster (security)	3.0.4-1+deb10u2	fixed
	bullseye (security), bullseye	3.2.0-3+deb11u1	fixed
	bookworm, bookworm (security)	3.2.3-1+deb12u1	fixed
	trixie	3.2.4-2	fixed
	sid	3.2.4-2.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
opensaml	source	etch	1.1a-2+etch1		DSA-1896-1
opensaml	source	lenny	1.1.1-2+lenny1
opensaml	source	(unstable)	3.0.0-2
opensaml2	source	lenny	2.0-2+lenny1
opensaml2	source	(unstable)	2.2.1-1
shibboleth-sp	source	etch	1.3f.dfsg1-2+etch1		DSA-1896-1
shibboleth-sp	source	lenny	1.3.1.dfsg1-3+lenny1		DSA-1896-1
shibboleth-sp	source	(unstable)	3.0.2+dfsg1-2
shibboleth-sp2	source	lenny	2.0.dfsg1-4+lenny1		DSA-1895-2
shibboleth-sp2	source	(unstable)	2.2.1+dfsg-1
xmltooling	source	lenny	1.0-2+lenny1		DSA-1895-1
xmltooling	source	(unstable)	1.2.2-1