CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields

Debian Bug report logs - #542926
CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields

Date: Sat, 22 Aug 2009 11:34:28 +0200

Package: neon27,neon26,neon
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for neon.

CVE-2009-2474[0]:
neon before 0.28.6, when OpenSSL is used, does not properly handle a
'\0' character in a domain name in the subject's Common Name (CN)
field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474
    http://security-tracker.debian.net/tracker/CVE-2009-2474
    http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html
    http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqPu6EACgkQNxpp46476apIvQCgh/SR333ms4qiHyQOSzs4+8A5
i64AoJXZOzUPPtetame4R2EI7j7dYVhO
=vUEk
-----END PGP SIGNATURE-----

Message #10 received at 542926-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.hu>

To: 542926-close@bugs.debian.org

Subject: Bug#542926: fixed in neon27 0.28.6-1

Date: Sat, 22 Aug 2009 11:32:30 +0000

Source: neon27
Source-Version: 0.28.6-1

We believe that the bug you reported is fixed in the latest version of
neon27, which is due to be installed in the Debian FTP archive:

libneon25-dev_0.28.6-1_amd64.deb
  to pool/main/n/neon27/libneon25-dev_0.28.6-1_amd64.deb
libneon27-dbg_0.28.6-1_amd64.deb
  to pool/main/n/neon27/libneon27-dbg_0.28.6-1_amd64.deb
libneon27-dev_0.28.6-1_amd64.deb
  to pool/main/n/neon27/libneon27-dev_0.28.6-1_amd64.deb
libneon27-gnutls-dbg_0.28.6-1_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls-dbg_0.28.6-1_amd64.deb
libneon27-gnutls-dev_0.28.6-1_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls-dev_0.28.6-1_amd64.deb
libneon27-gnutls_0.28.6-1_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls_0.28.6-1_amd64.deb
libneon27_0.28.6-1_amd64.deb
  to pool/main/n/neon27/libneon27_0.28.6-1_amd64.deb
neon27_0.28.6-1.diff.gz
  to pool/main/n/neon27/neon27_0.28.6-1.diff.gz
neon27_0.28.6-1.dsc
  to pool/main/n/neon27/neon27_0.28.6-1.dsc
neon27_0.28.6.orig.tar.gz
  to pool/main/n/neon27/neon27_0.28.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 542926@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.hu> (supplier of updated neon27 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 Aug 2009 10:19:54 +0000
Source: neon27
Binary: libneon27 libneon27-dev libneon27-dbg libneon27-gnutls libneon27-gnutls-dev libneon27-gnutls-dbg libneon25-dev
Architecture: source amd64
Version: 0.28.6-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Description: 
 libneon25-dev - Header and static library files for libneon25
 libneon27  - An HTTP and WebDAV client library
 libneon27-dbg - Detached symbols for libneon27
 libneon27-dev - Header and static library files for libneon27
 libneon27-gnutls - An HTTP and WebDAV client library (GnuTLS enabled)
 libneon27-gnutls-dbg - Detached symbols for libneon27 (GnuTLS enabled)
 libneon27-gnutls-dev - Header and static library files for libneon27 (GnuTLS enabled)
Closes: 542926
Changes: 
 neon27 (0.28.6-1) unstable; urgency=high
 .
   * New upstream release, fixing CVE-2009-2474 (closes: #542926); for gnutls
     version building with gnutls 2.8.2 or later required, updated
     build-dependency accordingly.
   * CVE-2009-2473 doesn't affect this package as it's compiled with a libxml2
     version greater than 2.6.32 .
Checksums-Sha1: 
 6e3828ea9aeb9ff95288162616c73aceb905de2b 1265 neon27_0.28.6-1.dsc
 da7db2e3289cc3dbef7794e8cc3c56978a0d7157 789193 neon27_0.28.6.orig.tar.gz
 ed00d48dc0aeeb454fa74094d45c6c90bdb85ba8 8651 neon27_0.28.6-1.diff.gz
 c49a5bc7b18a1748f8af4bc821ad07e31f5d99c5 151556 libneon27_0.28.6-1_amd64.deb
 5453c4c3b18267321f9e74bd2f4014fb3fc9cb27 431944 libneon27-dev_0.28.6-1_amd64.deb
 ca00e48476feba55ab998fb70ff45554fc44ed97 194318 libneon27-dbg_0.28.6-1_amd64.deb
 60821f74ed4c0d659087129ca041c06592c3537b 125540 libneon27-gnutls_0.28.6-1_amd64.deb
 d971fcd35699a8282b33c002723f663e5751e385 405468 libneon27-gnutls-dev_0.28.6-1_amd64.deb
 9605691755c6a2d2e40df1ad9d1c731d0a7cbecd 174984 libneon27-gnutls-dbg_0.28.6-1_amd64.deb
 daa8ff644055c8bb38941c173469e1f5b8eee54f 55598 libneon25-dev_0.28.6-1_amd64.deb
Checksums-Sha256: 
 adfc2699db34a7f076f56d34f1cced1b9a0d9b672c373d336b285f04d8e71afa 1265 neon27_0.28.6-1.dsc
 06ee8b1aa37a14a956a1158bf6b5a8c3388976d61c1dc3773a3ffe18ac8ecc0e 789193 neon27_0.28.6.orig.tar.gz
 784bbc5c63f585d927895447600705925ffb54571575ab0975d3c507bb226f42 8651 neon27_0.28.6-1.diff.gz
 689f28dc7663e7a9ce40954c7c0e240317b2970df5dcd0cf7c0837b7749c929a 151556 libneon27_0.28.6-1_amd64.deb
 4acdf19646e02fa1b63d40e70103ec3c9117739db60a4f5acefba289af0316df 431944 libneon27-dev_0.28.6-1_amd64.deb
 5731c3252bca3784f96d333fda26213d3f589d197fdea79576c7493bc8916492 194318 libneon27-dbg_0.28.6-1_amd64.deb
 22d3bd0ed5239ff7ee09f075fc4cae74941ff3e6b48a56afb84a2a84efe1d34b 125540 libneon27-gnutls_0.28.6-1_amd64.deb
 420e038605ea253cb54f4c9096ef269b186fa5aa57fe2dde4bb1f216dce1d202 405468 libneon27-gnutls-dev_0.28.6-1_amd64.deb
 a29824a3ee1823abe5c3101db9f4cee759129403183831ef6f232ec1ffb82886 174984 libneon27-gnutls-dbg_0.28.6-1_amd64.deb
 28a138c4aae95ce4b20514c77a858b1e0d864a3f0497fb49ba31ebb153a203c5 55598 libneon25-dev_0.28.6-1_amd64.deb
Files: 
 6608752d74a31274e27aa68f68ee40b8 1265 net optional neon27_0.28.6-1.dsc
 252578ed555552b71d15909641484951 789193 net optional neon27_0.28.6.orig.tar.gz
 a30b2b4fd3a1a337df514496aba4c28b 8651 net optional neon27_0.28.6-1.diff.gz
 3a73c9e8c62aef3ca52d5b6075c3676e 151556 libs optional libneon27_0.28.6-1_amd64.deb
 754582c353b3aa00246ae8822aef4758 431944 libdevel optional libneon27-dev_0.28.6-1_amd64.deb
 6317be5d395e254e7b31c441fa6f0a38 194318 debug extra libneon27-dbg_0.28.6-1_amd64.deb
 164a6a5c7f2ab13331f932eb992ad1a5 125540 libs optional libneon27-gnutls_0.28.6-1_amd64.deb
 3b445fba2e9451deff703a40f881dc65 405468 libdevel optional libneon27-gnutls-dev_0.28.6-1_amd64.deb
 632557911f695cfd7404061d451d97c0 174984 debug extra libneon27-gnutls-dbg_0.28.6-1_amd64.deb
 9070d4644a45be79eed83348fc799d07 55598 libdevel optional libneon25-dev_0.28.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqP03AACgkQMDatjqUaT92hDQCeK0sLRS5n/8LRSCzmrnZZ08LM
zwwAnirkW/SGEPFjYv1Q5dT/b5kqpCZ1
=6CMO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.