CVE-2009-3475

NameCVE-2009-3475
DescriptionInternet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1895-1, DSA-1895-2, DSA-1896-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
opensaml (PTS)buster3.0.1-1fixed
bullseye3.2.0-2fixed
bookworm3.2.1-3fixed
trixie3.2.1-4fixed
sid3.2.1-4.1fixed
shibboleth-sp (PTS)buster, buster (security)3.0.4+dfsg1-1+deb10u2fixed
bullseye3.2.2+dfsg1-1fixed
trixie, bookworm3.4.1+dfsg-2fixed
sid3.4.1+dfsg-2.1fixed
xmltooling (PTS)buster3.0.4-1+deb10u1fixed
buster (security)3.0.4-1+deb10u2fixed
bullseye (security), bullseye3.2.0-3+deb11u1fixed
bookworm, bookworm (security)3.2.3-1+deb12u1fixed
trixie3.2.4-2fixed
sid3.2.4-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensamlsourceetch1.1a-2+etch1DSA-1896-1
opensamlsourcelenny1.1.1-2+lenny1DSA-1896-1
opensamlsource(unstable)3.0.0-2
opensaml2sourcelenny2.0-2+lenny1DSA-1895-2
opensaml2source(unstable)2.2.1-1
shibboleth-spsourceetch1.3f.dfsg1-2+etch1DSA-1896-1
shibboleth-spsourcelenny1.3.1.dfsg1-3+lenny1DSA-1896-1
shibboleth-spsource(unstable)3.0.2+dfsg1-2
shibboleth-sp2sourcelenny2.0.dfsg1-4+lenny1DSA-1895-2
shibboleth-sp2source(unstable)2.2.1+dfsg-1
xmltoolingsourcelenny1.0-2+lenny1DSA-1895-1
xmltoolingsource(unstable)1.2.2-1

Search for package or bug name: Reporting problems