Your message dated Thu, 17 Dec 2009 00:48:32 +0000
with message-id <[email protected]>
and subject line Bug#555608: fixed in shibboleth-sp2 2.0.dfsg1-4+lenny2
has caused the Debian Bug report #555608,
regarding CVE-2009-3300
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
555608: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555608
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: shibboleth-sp2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for shibboleth-sp2.
CVE-2009-3300[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in the Identity
| Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the
| Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2
| Middleware Initiative Shibboleth allow remote attackers to inject
| arbitrary web script or HTML via URLs that are encountered in
| redirections, and appear in automatically generated forms.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3300
http://security-tracker.debian.org/tracker/CVE-2009-3300
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkr5XtEACgkQNxpp46476apFCACbBss6JYADgu8V21ve+ETiRWxR
udUAn2O3g+VpKRxIbSAT9/pFA/gL851Y
=K2dl
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: shibboleth-sp2
Source-Version: 2.0.dfsg1-4+lenny2
We believe that the bug you reported is fixed in the latest version of
shibboleth-sp2, which is due to be installed in the Debian FTP archive:
libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
to main/s/shibboleth-sp2/libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
to main/s/shibboleth-sp2/libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
to main/s/shibboleth-sp2/libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
to main/s/shibboleth-sp2/libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
to main/s/shibboleth-sp2/shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
to main/s/shibboleth-sp2/shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
to main/s/shibboleth-sp2/shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wagner <[email protected]> (supplier of updated shibboleth-sp2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 24 Nov 2009 16:02:12 +0100
Source: shibboleth-sp2
Binary: libapache2-mod-shib2 libshibsp1 libshibsp-dev libshibsp-doc
shibboleth-sp2-schemas
Architecture: source i386 all
Version: 2.0.dfsg1-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wagner <[email protected]>
Description:
libapache2-mod-shib2 - Federated web single sign-on system (Apache module)
libshibsp-dev - Federated web single sign-on system (development)
libshibsp-doc - Federated web single sign-on system (API docs)
libshibsp1 - Federated web single sign-on system (runtime)
shibboleth-sp2-schemas - Federated web single sign-on system (schemas)
Closes: 555608
Changes:
shibboleth-sp2 (2.0.dfsg1-4+lenny2) stable-security; urgency=high
.
* SECURITY: Partial fix for improper handling of URLs that could be
abused for script injection and other cross-site scripting attacks.
The complete fix also requires a newer opensaml2 package.
(Closes: #555608, CVE-2009-3300)
Checksums-Sha1:
c77f4ca965aaf84f9caa041be19dee90a1793017 1672
shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
dad477d1ffb355e1ac1369bcf7db71191934e522 17174
shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
6157a3ac29a690e2f101b0c12a10529e288e16ff 220864
libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
113729fbcf810d73f5d7753d4271edcdc7327044 830196
libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
64bc8e4cb5e28c7b9c27c653610f89bc95348842 39896
libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
04a3b0e61d42a907d1d6e88e3bb1861d8ce1267d 258520
libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
b40193580e293f55615725842ad7b82161da1a3d 15434
shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
Checksums-Sha256:
6edb0f338c28b192460cc8cec1f9f7d82f8a4a52cf255b9b11a58b73595bf06c 1672
shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
384e32555b4b6f4d34b3f41c926695a820693b8830c8d5ab7723c4bf6ab8d46d 17174
shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
1b9c50e7ad0dfb0aec5a581a94e5d2432a1c3ce335f6ecd575f6054ebd76dcc9 220864
libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
421565214eb1c4a5f559435e6c64f3967799b649c741544fd4958d675d2736f8 830196
libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
789042c0627075c7420066e3c7d5418b9e12052282e2557ea68e36430f391892 39896
libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
abdf8e5c973a8a1a4e6123f57a6b55bd5dd0f866fbbaab6786ffdf870dcd8c35 258520
libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
5279cdb700033339ad6a36d635016efe6b541d088d1966e21d45376ea2288a75 15434
shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
Files:
7cef2a57583d84e46a214475c4a25393 1672 web extra
shibboleth-sp2_2.0.dfsg1-4+lenny2.dsc
b9b0333f56c573d4a7f9bf608cbc4a89 17174 web extra
shibboleth-sp2_2.0.dfsg1-4+lenny2.diff.gz
e29f350428d1b68225d7c8ba7cd3a1ae 220864 web extra
libapache2-mod-shib2_2.0.dfsg1-4+lenny2_i386.deb
69baa4d5223c2de49c11efb1f5221a60 830196 libs extra
libshibsp1_2.0.dfsg1-4+lenny2_i386.deb
92ee9791f3230e4ea0af774d21f94168 39896 libdevel extra
libshibsp-dev_2.0.dfsg1-4+lenny2_i386.deb
39b8bdad69f6bfa31730c459da5b575c 258520 doc extra
libshibsp-doc_2.0.dfsg1-4+lenny2_all.deb
4f601fe9b3886b22316a141e01e707a6 15434 text extra
shibboleth-sp2-schemas_2.0.dfsg1-4+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkscIDkACgkQ+YXjQAr8dHa+JgCgufsPx9LYWPqqwlZAyuEbkuJ4
iyEAn3LHICZGbtiFAP7Zy72T+a6yWz0H
=ByCR
-----END PGP SIGNATURE-----
--- End Message ---
