Date: Thu, 20 Aug 2009 08:56:41 +0100 From: Joe Orton <jorton@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: neon 0.28.6 - CVE-2009-2473, CVE-2009-2474 On Tue, Aug 18, 2009 at 04:57:01PM +0100, Joe Orton wrote: > * SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in > a certificate subject name with OpenSSL; could allow an undetected > MITM attack against an SSL server if a trusted CA issues such a cert. I implied here, and stated in the message to the mailing list, that neon was not affected by this issue if linked against GnuTLS 2.8.2 or later, rather than OpenSSL. This was not correct. Versions of neon <= 0.28.5 linked against any version of GnuTLS (including >= 2.8.2) are still vulnerable to at least one type of embedded-NUL issue. It is necessary to upgrade to neon 0.28.6 to fix the issue completely, if built against GnuTLS. So far as this vulnerability affects neon, it is neither sufficient nor necessary to update to GnuTLS 2.8.2. (i.e. neon 0.28.6 will not be vulnerable if linked against older versions of GnuTLS) Apologies for the confusion, and hope this is clear. Regards, Joe
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.