Debian Security Advisory 1896 opensaml, shibboleth-sp – several vulnerabilities

Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x:

• Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution).

• Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks.

• Incorrect processing of SAML metadata ignored key usage constraints…