| Name | CVE-2009-3300 |
| Description | Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-1947-1 |
| Debian Bugs | 555608 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| opensaml2 (PTS) | jessie, jessie (lts) | 2.5.3-2+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 2.6.0-4+deb9u1 | fixed | |
| shibboleth-sp (PTS) | buster (security), buster, buster (lts) | 3.0.4+dfsg1-1+deb10u2 | fixed |
| bullseye | 3.2.2+dfsg1-1 | fixed | |
| bookworm | 3.4.1+dfsg-2 | fixed | |
| sid, trixie | 3.4.1+dfsg-2.1 | fixed | |
| shibboleth-sp2 (PTS) | jessie, jessie (lts) | 2.5.3+dfsg-2+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 2.6.0+dfsg1-4+deb9u2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| opensaml2 | source | lenny | 2.0-2+lenny2 | DSA-1947-1 | ||
| opensaml2 | source | (unstable) | 2.3-1 | medium | ||
| shibboleth-sp | source | etch | 1.3f.dfsg1-2+etch2 | DSA-1947-1 | ||
| shibboleth-sp | source | lenny | 1.3.1.dfsg1-3+lenny2 | DSA-1947-1 | ||
| shibboleth-sp | source | (unstable) | 3.0.2+dfsg1-2 | medium | ||
| shibboleth-sp2 | source | lenny | 2.0.dfsg1-4+lenny2 | DSA-1947-1 | ||
| shibboleth-sp2 | source | (unstable) | 2.3+dfsg-1 | medium | 555608 |
xmltooling also needs to be updated, changed in sid in 1.3.1-1