DEBIAN-CVE-2009-3475

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2009-3475
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2009-3475.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2009-3475
Upstream
Published
2009-09-29T23:30:00Z
Modified
2025-09-19T06:04:55Z
Summary
[none]
Details

Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

References

Affected packages

Debian:11

opensaml

Package

Name
opensaml
Purl
pkg:deb/debian/opensaml?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

shibboleth-sp

Package

Name
shibboleth-sp
Purl
pkg:deb/debian/shibboleth-sp?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.2+dfsg1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

xmltooling

Package

Name
xmltooling
Purl
pkg:deb/debian/xmltooling?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12

opensaml

Package

Name
opensaml
Purl
pkg:deb/debian/opensaml?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

shibboleth-sp

Package

Name
shibboleth-sp
Purl
pkg:deb/debian/shibboleth-sp?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.2+dfsg1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

xmltooling

Package

Name
xmltooling
Purl
pkg:deb/debian/xmltooling?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13

opensaml

Package

Name
opensaml
Purl
pkg:deb/debian/opensaml?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

shibboleth-sp

Package

Name
shibboleth-sp
Purl
pkg:deb/debian/shibboleth-sp?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.2+dfsg1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

xmltooling

Package

Name
xmltooling
Purl
pkg:deb/debian/xmltooling?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14

opensaml

Package

Name
opensaml
Purl
pkg:deb/debian/opensaml?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

shibboleth-sp

Package

Name
shibboleth-sp
Purl
pkg:deb/debian/shibboleth-sp?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.2+dfsg1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

xmltooling

Package

Name
xmltooling
Purl
pkg:deb/debian/xmltooling?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}