[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Thu, 3 Sep 2009 16:45:47 +0200
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: More CVE-2009-2408 like issues
Hi!
CVE-2009-2408-like problems were identified and fixed in some more
applications...
wget - bunch of relevant links are available in here:
https://bugzilla.redhat.com/show_bug.cgi?id=520454
mutt, when using OpenSSL, fixed via:
http://dev.mutt.org/trac/changeset/6016:dc09812e63a3/mutt_ssl.c
This only applies to 1.5.19 and later, as no name check was done in
earlier versions when OpenSSL was used for crypto, which is a problem
by itself:
http://dev.mutt.org/trac/ticket/3087
Qt got CVE-2009-2700, earlier versions of KDE use own crypto wrapper
implemented in kdelibs, which is affected too:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2702
OpenLDAP upstream did some changes that addressed this in OpenSSL
wrapping code, along with change related to handling of multiple CNs:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.8&r2=1.11&f=h
They also changed GnuTLS code to check the last CN instead of the first
one, but this was not affected by CVE-2009-2408-like problems:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_g.c.diff?r1=1.13&r2=1.14&f=h
NSS wrapper was re-written too to do name checking itself and not rely
on NSS (CVE-2009-2408 should likely apply here directly and patched
NSS should be sufficient to address null prefix issue in this case;
I've not tested though, do your own tests if you build OpenLDAP with
NSS):
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
--
Tomas Hoger / Red Hat Security Response Team
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ