CVE-2011-2516
https://notcve.org/view.php?id=CVE-2011-2516
Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer overflow. Error de superación de límite (off-by-one) en la característica de firma XML en Apache XML Security para C++ v1.6.0,usado en Shibboleth anterior a v2.4.3 y posiblemente otros productos, permite a atacantes remotos provocar una denegación de servicio (caída) a través de una firma utilizando una clave RSA larga, que provoca un desbordamiento de búfer. • http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063159.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063229.html http://santuario.apache.org/secadv/CVE-2011-2516.txt http://secunia.com/advisories/45151 http://secunia.com/advisories/45191 http://secunia.com/advisories/45198 http://secunia.com/advisories/45491 http://shibboleth.internet2.edu/secadv/secadv_20110706.txt http://www.debian.org/security/2011/dsa-2277 http://www.securityfocus.com/ar • CWE-189: Numeric Errors •
CVE-2009-3475
https://notcve.org/view.php?id=CVE-2009-3475
Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. El software Internet2 Shibboleth Service Provider v1.3.x anterior a v1.3.3 y v2.x anterior a v2.2.1, cuando se utiliza la validación de confianza PKIX, no controla correctamente un caracter '\0' en los campos subject o subjectAltName de un certificado, lo cual permite a atacantes remotos hombre-en-el-medio (man-in-the-middle) suplantar servidores SSL a su elección a través de certificados manipulados expedidos por una Autoridad de Certificación, un tema relacionado con CVE-2009-2408. • http://secunia.com/advisories/36855 http://secunia.com/advisories/36861 http://secunia.com/advisories/36876 http://shibboleth.internet2.edu/secadv/secadv_20090817.txt http://www.debian.org/security/2009/dsa-1895 http://www.debian.org/security/2009/dsa-1896 • CWE-310: Cryptographic Issues •
CVE-2009-3476
https://notcve.org/view.php?id=CVE-2009-3476
Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL. Desbordamiento de búfer en OpenSAML anterior a v1.1.3 utilizado en Internet2 Shibboleth Service Provider software v1.3.x anterior a v1.3.4, y XMLTooling anterior a v1.2.2 utilizado en Internet2 Shibboleth Service Provider software v2.x anterior a 2.2.1, permite a atacantes remotos provocar una denegación de servicio y posiblemente ejecutar código de su elección a través de una URL codificada mal formada. • http://secunia.com/advisories/36869 http://secunia.com/advisories/36870 http://shibboleth.internet2.edu/secadv/secadv_20090826.txt http://www.securityfocus.com/bid/36514 https://exchange.xforce.ibmcloud.com/vulnerabilities/53471 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2009-3474
https://notcve.org/view.php?id=CVE-2009-3474
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate. OpenSAML v2.x anterior a v2.2.1 y XMLTooling v1.x anterior a v1.2.1, utilizado por Internet2 Shibboleth Service Provider v2.x anterior a v2.2.1,no siguen el atributo Use del elemento KeyDescriptor, lo cual permite a atacantes remotos utilizar un certificado para la firma y encriptación, cuando esta designado para un solo fin, debilitando potencialmente el propósito de aplicación de seguridad del certificado. • http://secunia.com/advisories/36855 http://secunia.com/advisories/36868 http://secunia.com/advisories/36876 http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt http://www.debian.org/security/2009/dsa-1895 http://www.debian.org/security/2009/dsa-1896 http://www.securityfocus.com/bid/36516 https://bugs.internet2.edu/jira/browse/CPPOST-28 https://exchange.xforce.ibmcloud.com/vulnerabilities/53474 • CWE-310: Cryptographic Issues •