[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Aug 2009 08:56:41 +0100
From: Joe Orton <jorton@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: neon 0.28.6 - CVE-2009-2473, CVE-2009-2474
On Tue, Aug 18, 2009 at 04:57:01PM +0100, Joe Orton wrote:
> * SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in
> a certificate subject name with OpenSSL; could allow an undetected
> MITM attack against an SSL server if a trusted CA issues such a cert.
I implied here, and stated in the message to the mailing list, that neon
was not affected by this issue if linked against GnuTLS 2.8.2 or later,
rather than OpenSSL. This was not correct.
Versions of neon <= 0.28.5 linked against any version of GnuTLS
(including >= 2.8.2) are still vulnerable to at least one type of
embedded-NUL issue.
It is necessary to upgrade to neon 0.28.6 to fix the issue completely,
if built against GnuTLS.
So far as this vulnerability affects neon, it is neither sufficient nor
necessary to update to GnuTLS 2.8.2. (i.e. neon 0.28.6 will not be
vulnerable if linked against older versions of GnuTLS)
Apologies for the confusion, and hope this is clear.
Regards, Joe
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
