CVE-2009-3475

描述

Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

受影響套件(3)

• Debian/opensamlfrom 0, < 3.0.0-2
• Debian/shibboleth-spfrom 0, < 3.0.2+dfsg1-2
• Debian/xmltoolingfrom 0, < 1.2.2-1

參考連結(1)

• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2009-3475