LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2009:228 ] libneon Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake A vulnerability has been found and corrected in neon: neon before 0.28.6, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. (CVE-2009-2474) This update provides a solution to this vulnerability.
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:228
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libneon
 Date    : September 10, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
           Enterprise Server 5.0, Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in neon:
 
 neon before 0.28.6, when OpenSSL is used, does not properly handle
 a '\0' character in a domain name in the subject's Common Name
 (CN) field of an X.509 certificate, which allows man-in-the-middle
 attackers to spoof arbitrary SSL servers via a crafted certificate
 issued by a legitimate Certification Authority, a related issue to
 CVE-2009-2408. (CVE-2009-2474)
 
 This update provides a solution to this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 1123e36a897efa834a3e0d36460dcc33  2008.1/i586/libneon0.24-0.24.7-21.2mdv2008.1.i586.rpm
 3684425df6598f1a7c86aed6f286d2e7  2008.1/i586/libneon0.24-devel-0.24.7-21.2mdv2008.1.i586.rpm
 ccea87a2cc2d93b87d914be1b4505a37  2008.1/i586/libneon0.24-static-devel-0.24.7-21.2mdv2008.1.i586.rpm
 ca5680df443981778142576a68d9a8b1  2008.1/i586/libneon0.26-0.26.4-5.2mdv2008.1.i586.rpm
 9b90410422324514c0b0645163118c9a  2008.1/i586/libneon0.26-devel-0.26.4-5.2mdv2008.1.i586.rpm
 ae76995f7d095331ed5773a584b2a73c  2008.1/i586/libneon0.26-static-devel-0.26.4-5.2mdv2008.1.i586.rpm 
 dc1d23f9ec9b449893456baec8b6700b  2008.1/SRPMS/libneon0.24-0.24.7-21.2mdv2008.1.src.rpm
 effe8d01bc8e9663dbe61a92849eb340  2008.1/SRPMS/libneon0.26-0.26.4-5.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 74220dd3794599f93a762ac96cdb4f2a  2008.1/x86_64/lib64neon0.24-0.24.7-21.2mdv2008.1.x86_64.rpm
 e357492501ef388e756780aea057aa0e  2008.1/x86_64/lib64neon0.24-devel-0.24.7-21.2mdv2008.1.x86_64.rpm
 099adbe063ff402b5f79b96aee7d28f4  2008.1/x86_64/lib64neon0.24-static-devel-0.24.7-21.2mdv2008.1.x86_64.rpm
 491e88176c331b8b33850dc4ff4cf11b  2008.1/x86_64/lib64neon0.26-0.26.4-5.2mdv2008.1.x86_64.rpm
 dd9b2e3e919f69cb10150ff0ce4c5559  2008.1/x86_64/lib64neon0.26-devel-0.26.4-5.2mdv2008.1.x86_64.rpm
 426db2bebd6206115e358b779f62f117  2008.1/x86_64/lib64neon0.26-static-devel-0.26.4-5.2mdv2008.1.x86_64.rpm 
 dc1d23f9ec9b449893456baec8b6700b  2008.1/SRPMS/libneon0.24-0.24.7-21.2mdv2008.1.src.rpm
 effe8d01bc8e9663dbe61a92849eb340  2008.1/SRPMS/libneon0.26-0.26.4-5.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 4f9454779e532e76d530121b2efed153  2009.0/i586/libneon0.26-0.26.4-6.2mdv2009.0.i586.rpm
 a86b602efd802fe0a90756c54a4cfee6  2009.0/i586/libneon0.26-devel-0.26.4-6.2mdv2009.0.i586.rpm
 2fbae1ec8948843b455b53463f5f216d  2009.0/i586/libneon0.26-static-devel-0.26.4-6.2mdv2009.0.i586.rpm 
 ecc22290b29644dd7459c2aefe5d5de4  2009.0/SRPMS/libneon0.26-0.26.4-6.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 077026afcdf0c1e1d09fe098c340a85c  2009.0/x86_64/lib64neon0.26-0.26.4-6.2mdv2009.0.x86_64.rpm
 91127afa4a80debcfcd49f0a19a0e442  2009.0/x86_64/lib64neon0.26-devel-0.26.4-6.2mdv2009.0.x86_64.rpm
 7caf316e8079d30ca90b96903ba1702a  2009.0/x86_64/lib64neon0.26-static-devel-0.26.4-6.2mdv2009.0.x86_64.rpm 
 ecc22290b29644dd7459c2aefe5d5de4  2009.0/SRPMS/libneon0.26-0.26.4-6.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 f94b7b03b28ebdc4ece54b601460bd4f  2009.1/i586/libneon0.26-0.26.4-6.2mdv2009.1.i586.rpm
 0ab62c5b0622e2e3cd1f78347cc04e41  2009.1/i586/libneon0.26-devel-0.26.4-6.2mdv2009.1.i586.rpm
 f340831b1373206f3f740e5d51f8c10a  2009.1/i586/libneon0.26-static-devel-0.26.4-6.2mdv2009.1.i586.rpm 
 746a811c1e5a3f119c57c2921fda7073  2009.1/SRPMS/libneon0.26-0.26.4-6.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 e8cc5d7d17190643ab468bd1624db6a8  2009.1/x86_64/lib64neon0.26-0.26.4-6.2mdv2009.1.x86_64.rpm
 4d2649aa3c3db0e734267c5eba3eb248  2009.1/x86_64/lib64neon0.26-devel-0.26.4-6.2mdv2009.1.x86_64.rpm
 19ca5a647425e4db9af287de0e21bb69  2009.1/x86_64/lib64neon0.26-static-devel-0.26.4-6.2mdv2009.1.x86_64.rpm 
 746a811c1e5a3f119c57c2921fda7073  2009.1/SRPMS/libneon0.26-0.26.4-6.2mdv2009.1.src.rpm

 Corporate 3.0:
 d27dbab058c8fa431ddb2d6dc0b9a274  corporate/3.0/i586/libneon0.24-0.24.7-1.1.101mdk.i586.rpm
 fae249ec7fa3c2621b120e7cea01a211  corporate/3.0/i586/libneon0.24-devel-0.24.7-1.1.101mdk.i586.rpm
 a51842a47dd9e123f9f51d2c4d82daaa  corporate/3.0/i586/libneon0.24-static-devel-0.24.7-1.1.101mdk.i586.rpm 
 6aac5b1670a6d20c6142b84ff9e96a51  corporate/3.0/SRPMS/libneon-0.24.7-1.1.101mdk.src.rpm

 Corporate 3.0/X86_64:
 9bcb2e9bbb1da24b19594fbd1738f1c2  corporate/3.0/x86_64/lib64neon0.24-0.24.7-1.1.101mdk.x86_64.rpm
 6406230ecb959c719b6bdcde4004baee  corporate/3.0/x86_64/lib64neon0.24-devel-0.24.7-1.1.101mdk.x86_64.rpm
 80330ad1bcd75f7052196cd48acb3d23  corporate/3.0/x86_64/lib64neon0.24-static-devel-0.24.7-1.1.101mdk.x86_64.rpm 
 6aac5b1670a6d20c6142b84ff9e96a51  corporate/3.0/SRPMS/libneon-0.24.7-1.1.101mdk.src.rpm

 Corporate 4.0:
 5dd641da6ce0f905dfa934eaf8a1e576  corporate/4.0/i586/libneon0.24-0.24.7-12.1mdk.i586.rpm
 1ac9cad7a7e2849428e06404a7b5f539  corporate/4.0/i586/libneon0.24-devel-0.24.7-12.1mdk.i586.rpm
 15cdf86dab35fde01dda647ae6d81246  corporate/4.0/i586/libneon0.24-static-devel-0.24.7-12.1mdk.i586.rpm
 4c83315bb3f59dbd748131e339e0129f  corporate/4.0/i586/libneon0.25-0.25.1-3.1mdk.i586.rpm
 4488e97e752f9dcfec360a5bd01be634  corporate/4.0/i586/libneon0.25-devel-0.25.1-3.1mdk.i586.rpm
 894574f2e6fcc466ae5e093d202ea4a8  corporate/4.0/i586/libneon0.25-static-devel-0.25.1-3.1mdk.i586.rpm 
 9efb81497d770a4c54be687c15ab9786  corporate/4.0/SRPMS/libneon0.24-0.24.7-12.1mdk.src.rpm
 23a233753b854143302a76f4982e42d7  corporate/4.0/SRPMS/libneon0.25-0.25.1-3.1mdk.src.rpm

 Corporate 4.0/X86_64:
 abbd0b575fab4521cf4c68258844e63f  corporate/4.0/x86_64/lib64neon0.24-0.24.7-12.1mdk.x86_64.rpm
 6d9a76ead78b506c8c1ccccf82ff95ae  corporate/4.0/x86_64/lib64neon0.24-devel-0.24.7-12.1mdk.x86_64.rpm
 e0d9b14e0794a3cd8c7f387f45252983  corporate/4.0/x86_64/lib64neon0.24-static-devel-0.24.7-12.1mdk.x86_64.rpm
 9bf7d5343eefa15518a8d8347d7a7390  corporate/4.0/x86_64/lib64neon0.25-0.25.1-3.1mdk.x86_64.rpm
 f874157bdb9dae35bbaf98cc6fdf64fc  corporate/4.0/x86_64/lib64neon0.25-devel-0.25.1-3.1mdk.x86_64.rpm
 07e03b594e6cc03e6c97104beb6d8147  corporate/4.0/x86_64/lib64neon0.25-static-devel-0.25.1-3.1mdk.x86_64.rpm 
 9efb81497d770a4c54be687c15ab9786  corporate/4.0/SRPMS/libneon0.24-0.24.7-12.1mdk.src.rpm
 23a233753b854143302a76f4982e42d7  corporate/4.0/SRPMS/libneon0.25-0.25.1-3.1mdk.src.rpm

 Mandriva Enterprise Server 5:
 f5a94acdb8dbd9131202074428dead73  mes5/i586/libneon0.26-0.26.4-6.2mdvmes5.i586.rpm
 4de9f68238916c28847f4c74eac60b25  mes5/i586/libneon0.26-devel-0.26.4-6.2mdvmes5.i586.rpm
 b1a8f226dce843b68be9970081984585  mes5/i586/libneon0.26-static-devel-0.26.4-6.2mdvmes5.i586.rpm 
 a3202bc64e0648ec9787f6e3ad82caaf  mes5/SRPMS/libneon0.26-0.26.4-6.2mdv2009.0.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 2be4bf50ead3eb78490aa21386dbe2f2  mes5/x86_64/lib64neon0.26-0.26.4-6.2mdvmes5.x86_64.rpm
 2705e63e4d191c667d788b4bb69eb01c  mes5/x86_64/lib64neon0.26-devel-0.26.4-6.2mdvmes5.x86_64.rpm
 7419c8025a4ac445df90a73efd625f96  mes5/x86_64/lib64neon0.26-static-devel-0.26.4-6.2mdvmes5.x86_64.rpm 
 a3202bc64e0648ec9787f6e3ad82caaf  mes5/SRPMS/libneon0.26-0.26.4-6.2mdv2009.0.src.rpm

 Multi Network Firewall 2.0:
 b1614b9804645e49a3ab48e9eed87ead  mnf/2.0/i586/libneon0.24-0.24.7-1.1.101mdk.i586.rpm
 6e244da945cc42ee5a030df1635df4f3  mnf/2.0/i586/libneon0.24-devel-0.24.7-1.1.101mdk.i586.rpm
 257cabc3d460426a88cf290e5a6bee97  mnf/2.0/i586/libneon0.24-static-devel-0.24.7-1.1.101mdk.i586.rpm 
 5cb2af5b920ccfcdbe1050af2999d419  mnf/2.0/SRPMS/libneon-0.24.7-1.1.101mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Google Removes SSLv3 Fallback Support From Chrome
Hacker Lexicon: What Is End-to-End Encryption?
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.