Three Shibboleth issues

[Florian Weimer <fw () deneb enyo de>]

1)

| The Shibboleth software includes code to encode and decode URL
| information, and has been shown to crash on certain malformed
| encoded URLs due to a buffer overrun.

(Also potential pre-auth code execution.)

<http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>


2)

NUL injection in certificate names:

<http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>


3)

| The Shibboleth software supports the use of SAML metadata to
| identify authentication and encryption keys by means of the
| <KeyDescriptor> element. In previous versions, the software
| was improperly ignoring the "use" attribute and treating all
| elements as valid for both signing/TLS and encryption.

<http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>

Isolated patches are available here:

<http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2009-September/001213.html>

Be careful when applying them---one hunk touches an inline function in
a header-only C++ class with virtual functions (see the mailing list
discussion).