Support / Security / Advisories / Mandriva Linux 2008.0 / MDVSA-2009:315

Package name: libneon
Date: 2009-12-04
Advisory ID: MDVSA-2009:315
Affected versions: 2008.0 i586 , 2008.0 x86_64

Problem description

A vulnerability has been found and corrected in libneo:

neon before 0.28.6, when OpenSSL is used, does not properly handle a
'\0' (NUL) character in a domain name in the subject's Common Name
(CN) field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408 (CVE-2009-2474).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

Updated packages

2008.0 i586

 740b480f6328003b8014400e7c722484  2008.0/i586/libneon0.24-0.24.7-19.1mdv2008.0.i586.rpm
 43b99ccadcf192c0dcf9fe7c3827fb4e  2008.0/i586/libneon0.24-devel-0.24.7-19.1mdv2008.0.i586.rpm
 fffad63f0bbd21bf217e31970897a870  2008.0/i586/libneon0.24-static-devel-0.24.7-19.1mdv2008.0.i586.rpm
 c924d144718465c821feead5dcf518f9  2008.0/i586/libneon0.26-0.26.4-2.1mdv2008.0.i586.rpm
 aab2432e0e0a6c9a8cf774e0543a5a5d  2008.0/i586/libneon0.26-devel-0.26.4-2.1mdv2008.0.i586.rpm
 feece8652a4b373e0faa9b5e19219375  2008.0/i586/libneon0.26-static-devel-0.26.4-2.1mdv2008.0.i586.rpm 
 3be15e1a506e2b7db1f54f81eb2f6dae  2008.0/SRPMS/libneon0.24-0.24.7-19.1mdv2008.0.src.rpm
 497eeb18ab24c0db911d3a20467d1d2a  2008.0/SRPMS/libneon0.26-0.26.4-2.1mdv2008.0.src.rpm

2008.0 x86_64

 dc55c69b3ae59becec04e4eb7c2f006d  2008.0/x86_64/lib64neon0.24-0.24.7-19.1mdv2008.0.x86_64.rpm
 e0a0c506088e59c58e51e27dfd5914b0  2008.0/x86_64/lib64neon0.24-devel-0.24.7-19.1mdv2008.0.x86_64.rpm
 c3d17f64c10f3b0390f39c319eabd20d  2008.0/x86_64/lib64neon0.24-static-devel-0.24.7-19.1mdv2008.0.x86_64.rpm
 88b416621021d1fe74d51fc112687867  2008.0/x86_64/lib64neon0.26-0.26.4-2.1mdv2008.0.x86_64.rpm
 a5698628bf4e501d5a7cb0c97db0c9ff  2008.0/x86_64/lib64neon0.26-devel-0.26.4-2.1mdv2008.0.x86_64.rpm
 5be57578b426ca6650fb37628e15298c  2008.0/x86_64/lib64neon0.26-static-devel-0.26.4-2.1mdv2008.0.x86_64.rpm 
 3be15e1a506e2b7db1f54f81eb2f6dae  2008.0/SRPMS/libneon0.24-0.24.7-19.1mdv2008.0.src.rpm
 497eeb18ab24c0db911d3a20467d1d2a  2008.0/SRPMS/libneon0.26-0.26.4-2.1mdv2008.0.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474