Debian Security Advisory 1896 opensaml, shibboleth-sp – several vulnerabilities

22
Article Source Debian Security Advisories
September 27, 2009, 5:00 pm

Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x:

  • Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution).

  • Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks.

  • Incorrect processing of SAML metadata ignored key usage constraints…