CVE-2009-3474
Published: 29 September 2009
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Priority
Status
Package | Release | Status |
---|---|---|
opensaml Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Released
(1.1.1-2+lenny1build0.8.10.2)
|
|
jaunty |
Released
(1.1.1-2+lenny1build0.9.04.2)
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Released
(2.2.1)
|
|
shibboleth-sp Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Released
(1.3.1.dfsg1-3+lenny1build0.9.04.2)
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Released
(2.2.1)
|
|
xmltooling Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
intrepid |
Released
(1.0-2+lenny1build0.8.10.1)
|
|
jaunty |
Released
(1.0-2+lenny1build0.9.04.1)
|
|
karmic |
Ignored
(end of life)
|
|
lucid |
Not vulnerable
(1.2.2-1)
|
|
maverick |
Not vulnerable
(1.2.2-1)
|
|
natty |
Not vulnerable
(1.2.2-1)
|
|
oneiric |
Not vulnerable
(1.2.2-1)
|
|
upstream |
Released
(1.2.2-1)
|