Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Aug 2009 08:56:41 +0100
From: Joe Orton <>
Subject: Re: neon 0.28.6 - CVE-2009-2473, CVE-2009-2474

On Tue, Aug 18, 2009 at 04:57:01PM +0100, Joe Orton wrote:
> * SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in
>   a certificate subject name with OpenSSL; could allow an undetected
>   MITM attack against an SSL server if a trusted CA issues such a cert.

I implied here, and stated in the message to the mailing list, that neon 
was not affected by this issue if linked against GnuTLS 2.8.2 or later, 
rather than OpenSSL.  This was not correct.  

Versions of neon <= 0.28.5 linked against any version of GnuTLS 
(including >= 2.8.2) are still vulnerable to at least one type of 
embedded-NUL issue.  

It is necessary to upgrade to neon 0.28.6 to fix the issue completely, 
if built against GnuTLS.

So far as this vulnerability affects neon, it is neither sufficient nor 
necessary to update to GnuTLS 2.8.2.  (i.e. neon 0.28.6 will not be 
vulnerable if linked against older versions of GnuTLS)

Apologies for the confusion, and hope this is clear.

Regards, Joe

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.