CVE-2009-3300

Debian Bug report logs - #555608
CVE-2009-3300

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-3300

Date: Tue, 10 Nov 2009 13:38:44 +0100

Package: shibboleth-sp2
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for shibboleth-sp2.

CVE-2009-3300[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in the Identity
| Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the
| Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2
| Middleware Initiative Shibboleth allow remote attackers to inject
| arbitrary web script or HTML via URLs that are encountered in
| redirections, and appear in automatically generated forms.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3300
    http://security-tracker.debian.org/tracker/CVE-2009-3300


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr5XtEACgkQNxpp46476apFCACbBss6JYADgu8V21ve+ETiRWxR
udUAn2O3g+VpKRxIbSAT9/pFA/gL851Y
=K2dl
-----END PGP SIGNATURE-----

Message #10 received at 555608@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Giuseppe Iuculano <iuculano@debian.org>

Cc: 555608@bugs.debian.org

Subject: Re: Bug#555608: CVE-2009-3300

Date: Tue, 10 Nov 2009 11:14:49 -0800

Giuseppe Iuculano <iuculano@debian.org> writes:

> the following CVE (Common Vulnerabilities & Exposures) id was
> published for shibboleth-sp2.

> CVE-2009-3300[0]:
> | Multiple cross-site scripting (XSS) vulnerabilities in the Identity
> | Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the
> | Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2
> | Middleware Initiative Shibboleth allow remote attackers to inject
> | arbitrary web script or HTML via URLs that are encountered in
> | redirections, and appear in automatically generated forms.

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

The first updated package is currently sitting in NEW (and has been for
some time).  The sid update requires updates to xmltooling, opensaml2, and
shibboleth-sp2 since the upstream solution also changes the library
SONAME.  That means xmltooling, opensaml2, and shibboleth-sp2 all have to
clear NEW to resolve this bug for unstable.  xmltooling has been uploaded.
I'm going to stage the packages in my personal repository until they can
get through NEW processing.

We're evaluating whether we can patch shibboleth-sp2 in stable without
changing the SONAME or requiring rebuilt versions of the supporting
libraries.

shibboleth-sp in stable and oldstable is also affected, and I hope to work
on that soon.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #17 received at 555608-close@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 555608-close@bugs.debian.org

Subject: Bug#555608: fixed in shibboleth-sp2 2.3+dfsg-1

Date: Fri, 20 Nov 2009 15:34:17 +0000

Source: shibboleth-sp2
Source-Version: 2.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
shibboleth-sp2, which is due to be installed in the Debian FTP archive:

libapache2-mod-shib2_2.3+dfsg-1_i386.deb
  to main/s/shibboleth-sp2/libapache2-mod-shib2_2.3+dfsg-1_i386.deb
libshibsp-dev_2.3+dfsg-1_i386.deb
  to main/s/shibboleth-sp2/libshibsp-dev_2.3+dfsg-1_i386.deb
libshibsp-doc_2.3+dfsg-1_all.deb
  to main/s/shibboleth-sp2/libshibsp-doc_2.3+dfsg-1_all.deb
libshibsp4_2.3+dfsg-1_i386.deb
  to main/s/shibboleth-sp2/libshibsp4_2.3+dfsg-1_i386.deb
shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
  to main/s/shibboleth-sp2/shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
shibboleth-sp2_2.3+dfsg-1.diff.gz
  to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg-1.diff.gz
shibboleth-sp2_2.3+dfsg-1.dsc
  to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg-1.dsc
shibboleth-sp2_2.3+dfsg.orig.tar.gz
  to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 555608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated shibboleth-sp2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 11 Nov 2009 14:39:44 -0800
Source: shibboleth-sp2
Binary: libapache2-mod-shib2 libshibsp4 libshibsp-dev libshibsp-doc shibboleth-sp2-schemas
Architecture: source i386 all
Version: 2.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 libapache2-mod-shib2 - Federated web single sign-on system (Apache module)
 libshibsp-dev - Federated web single sign-on system (development)
 libshibsp-doc - Federated web single sign-on system (API docs)
 libshibsp4 - Federated web single sign-on system (runtime)
 shibboleth-sp2-schemas - Federated web single sign-on system (schemas)
Closes: 555608
Changes: 
 shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
 .
   [ Russ Allbery ]
   * Urgency set to high for security fix.
   * New upstream release.
     - SECURITY: Partial fix for improper handling of URLs that could be
       abused for script injection and other cross-site scripting attacks.
       The complete fix also requires newer xmltooling and opensaml2
       packages.  (Closes: #555608, CVE-2009-3300)
     - Avoid shibd crash on dead memcache server.
     - Pass the affiliation name to the session initiator.
     - Correctly handle a bogus ACS.
     - Allow overriding the URL that's passed to the DS.
     - Add schema types for new attribute decoders introduced in 2.2.
     - Handle success with partial logout in the logout UI code.
     - Fix POST data preservation with empty parameters and empty forms.
     - Fix SAML 1 specification of attributes in the query plugin.
     - Shorten ePTId-type persistent identifiers.
     - Use an ID rather than a whole doc reference for generated metadata.
     - Fix spelling of scopeDelimiter in the configuration parser, making
       the code and documentation match the schema.
   * Rename library package for upstream SONAME bump.
   * Tighten build and package dependencies on xmltooling and opensaml2 to
     require the versions with the security fix.
   * Fix watch file for the new version mangling.
   * Improve documentation of DAEMON_OPTS in /etc/default/shibd.
   * Remove unnecessary patches to upstream files regenerated during the
     build from the source package diff.
 .
   [ Faidon Liambotis ]
   * Run make install with NOKEYGEN=1 and stop rm-ing generated
     certificates.  Fixes FTBFS.
 .
   [ Ferenc Wagner ]
   * Run shibd as non-root.
Checksums-Sha1: 
 759a0af4d3362c84ba5fe61039d57032b8b83ec6 1636 shibboleth-sp2_2.3+dfsg-1.dsc
 a15ac5bf6c65a26e44a8b5be2fc194edc6574067 807364 shibboleth-sp2_2.3+dfsg.orig.tar.gz
 dcf8a12d5245ab3c35c2a0a7881e27f5c94c6b11 17637 shibboleth-sp2_2.3+dfsg-1.diff.gz
 cd104c7ad311946f36133666c42dae4c9d9089f9 225598 libapache2-mod-shib2_2.3+dfsg-1_i386.deb
 0700e3080a2f566ef7860e78c2cea34e1839cf14 951818 libshibsp4_2.3+dfsg-1_i386.deb
 eda10a972f35975408e0027d9bab40b852883f88 42964 libshibsp-dev_2.3+dfsg-1_i386.deb
 0409cb229a24ab3629bb34d4a7e28c0bed424032 331962 libshibsp-doc_2.3+dfsg-1_all.deb
 34777ccd22bfcaa068c6e686bc14141a3b256890 18268 shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
Checksums-Sha256: 
 72e530cd880560a27c1d6f1ed57eacae54693ac0064fae6674e61133e411cfd7 1636 shibboleth-sp2_2.3+dfsg-1.dsc
 5a19c7078dd67d42a97630ea82096bdeb0f09d3a070e67cf7cea9281487e1e88 807364 shibboleth-sp2_2.3+dfsg.orig.tar.gz
 865c4fdfa67219225efccf3a907c98778e33f4e55fa27ea52e9f944c569fd47e 17637 shibboleth-sp2_2.3+dfsg-1.diff.gz
 e35dc4e7d48d849dd91e102b9971a894d3d08ec401b147abe1ce63cceef11e0e 225598 libapache2-mod-shib2_2.3+dfsg-1_i386.deb
 6225d432dfbb5ecd28a92952619896fd5a9a8249253fd00ad0bab209d94369d2 951818 libshibsp4_2.3+dfsg-1_i386.deb
 af00b4f99e8edc763b63eab82f5b2c25830d6b908f9d2b1215b5917aca463a07 42964 libshibsp-dev_2.3+dfsg-1_i386.deb
 58ad0b6f6df170f3b3602ad9d7cc296e2b962f03cde2be447b57e6ca9b7612fa 331962 libshibsp-doc_2.3+dfsg-1_all.deb
 cfb3c93b85e3d930cd8682748765c15e12212afe69d875762a6f6edd4ed5b9ce 18268 shibboleth-sp2-schemas_2.3+dfsg-1_all.deb
Files: 
 2f88c18d3f409d31ec7483ef3eaca5a7 1636 web extra shibboleth-sp2_2.3+dfsg-1.dsc
 6d674cfe5862654ab05831a4a5fc2d2b 807364 web extra shibboleth-sp2_2.3+dfsg.orig.tar.gz
 bbf138cb1fb1604452b3ebcbde5ad110 17637 web extra shibboleth-sp2_2.3+dfsg-1.diff.gz
 09c2a32811c93e7b97fcaec16f6166d5 225598 httpd extra libapache2-mod-shib2_2.3+dfsg-1_i386.deb
 c7315ddf839d59cd17071ce911baef3a 951818 libs extra libshibsp4_2.3+dfsg-1_i386.deb
 53869c333d823ff96883f646a2b06e21 42964 libdevel extra libshibsp-dev_2.3+dfsg-1_i386.deb
 d6d2b1fbc88bcb026d4d17ba2885c5cd 331962 doc extra libshibsp-doc_2.3+dfsg-1_all.deb
 b70882e72d1c158c7a661db696855249 18268 text extra shibboleth-sp2-schemas_2.3+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr7Vs0ACgkQ+YXjQAr8dHaxrACeJ+6wMT/7bQqGfsRIG2gRzZrw
2dgAnRZJ4loHHKJ8zhallh+Lw/98uWp4
=duds
-----END PGP SIGNATURE-----

Message #22 received at 555608-close@bugs.debian.org (full text, mbox, reply):

From: Ferenc Wagner <wferi@niif.hu>

To: 555608-close@bugs.debian.org

Subject: Bug#555608: fixed in shibboleth-sp2 2.0.dfsg1-4+lenny2

Date: Thu, 17 Dec 2009 00:48:32 +0000

Source: shibboleth-sp2
Source-Version: 2.0.dfsg1-4+lenny2

We believe that the bug you reported is fixed in the latest version of
shibboleth-sp2, which is due to be installed in the Debian FTP archive:

libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
  to main/s/shibboleth-sp2/libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
  to main/s/shibboleth-sp2/libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
  to main/s/shibboleth-sp2/libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
  to main/s/shibboleth-sp2/libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
  to main/s/shibboleth-sp2/shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
  to main/s/shibboleth-sp2/shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
  to main/s/shibboleth-sp2/shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 555608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ferenc Wagner <wferi@niif.hu> (supplier of updated shibboleth-sp2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 24 Nov 2009 16:02:12 +0100
Source: shibboleth-sp2
Binary: libapache2-mod-shib2 libshibsp1 libshibsp-dev libshibsp-doc shibboleth-sp2-schemas
Architecture: source i386 all
Version: 2.0.dfsg1-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wagner <wferi@niif.hu>
Description: 
 libapache2-mod-shib2 - Federated web single sign-on system (Apache module)
 libshibsp-dev - Federated web single sign-on system (development)
 libshibsp-doc - Federated web single sign-on system (API docs)
 libshibsp1 - Federated web single sign-on system (runtime)
 shibboleth-sp2-schemas - Federated web single sign-on system (schemas)
Closes: 555608
Changes: 
 shibboleth-sp2 (2.0.dfsg1-4+lenny2) stable-security; urgency=high
 .
   * SECURITY: Partial fix for improper handling of URLs that could be
     abused for script injection and other cross-site scripting attacks.
     The complete fix also requires a newer opensaml2 package.
     (Closes: #555608, CVE-2009-3300)
Checksums-Sha1: 
 c77f4ca965aaf84f9caa041be19dee90a1793017 1672 shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
 dad477d1ffb355e1ac1369bcf7db71191934e522 17174 shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
 6157a3ac29a690e2f101b0c12a10529e288e16ff 220864 libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
 113729fbcf810d73f5d7753d4271edcdc7327044 830196 libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
 64bc8e4cb5e28c7b9c27c653610f89bc95348842 39896 libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
 04a3b0e61d42a907d1d6e88e3bb1861d8ce1267d 258520 libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
 b40193580e293f55615725842ad7b82161da1a3d 15434 shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
Checksums-Sha256: 
 6edb0f338c28b192460cc8cec1f9f7d82f8a4a52cf255b9b11a58b73595bf06c 1672 shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
 384e32555b4b6f4d34b3f41c926695a820693b8830c8d5ab7723c4bf6ab8d46d 17174 shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
 1b9c50e7ad0dfb0aec5a581a94e5d2432a1c3ce335f6ecd575f6054ebd76dcc9 220864 libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
 421565214eb1c4a5f559435e6c64f3967799b649c741544fd4958d675d2736f8 830196 libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
 789042c0627075c7420066e3c7d5418b9e12052282e2557ea68e36430f391892 39896 libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
 abdf8e5c973a8a1a4e6123f57a6b55bd5dd0f866fbbaab6786ffdf870dcd8c35 258520 libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
 5279cdb700033339ad6a36d635016efe6b541d088d1966e21d45376ea2288a75 15434 shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
Files: 
 7cef2a57583d84e46a214475c4a25393 1672 web extra shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
 b9b0333f56c573d4a7f9bf608cbc4a89 17174 web extra shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
 e29f350428d1b68225d7c8ba7cd3a1ae 220864 web extra libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
 69baa4d5223c2de49c11efb1f5221a60 830196 libs extra libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
 92ee9791f3230e4ea0af774d21f94168 39896 libdevel extra libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
 39b8bdad69f6bfa31730c459da5b575c 258520 doc extra libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
 4f601fe9b3886b22316a141e01e707a6 15434 text extra shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkscIDkACgkQ+YXjQAr8dHa+JgCgufsPx9LYWPqqwlZAyuEbkuJ4
iyEAn3LHICZGbtiFAP7Zy72T+a6yWz0H
=ByCR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.