Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
| Link | Tags |
|---|---|
| http://secunia.com/advisories/36876 | third party advisory vendor advisory |
| http://www.debian.org/security/2009/dsa-1896 | vendor advisory |
| http://www.debian.org/security/2009/dsa-1895 | vendor advisory |
| http://shibboleth.internet2.edu/secadv/secadv_20090817.txt | vendor advisory |
| http://secunia.com/advisories/36861 | third party advisory vendor advisory |
| http://secunia.com/advisories/36855 | third party advisory vendor advisory |