MDVSA-2009:221

Package name

libneon0.27

Date

2009-08-24

Advisory ID

MDVSA-2009:221

Affected versions

2009.0 x86_64 , MES5 i586 , 2009.1 i586 , 2009.0 i586 , 2008.1 i586 , CS4.0 i586 , CS4.0 x86_64 , 2008.1 x86_64 , 2009.1 x86_64 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in libneon0.27:

neon before 0.28.6, when expat is used, does not properly detect
recursion during entity expansion, which allows context-dependent
attackers to cause a denial of service (memory and CPU consumption)
via a crafted XML document containing a large number of nested entity
references, a similar issue to CVE-2003-1564 (CVE-2009-2473).

neon before 0.28.6, when OpenSSL is used, does not properly handle a
'\0' (NUL) character in a domain name in the subject's Common Name
(CN) field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408 (CVE-2009-2474).

This update provides a solution to these vulnerabilities.

Updated packages

2009.0 x86_64

 3a86cf10f1df3feaea91ae64e28f3e8d  2009.0/x86_64/lib64neon0.27-0.28.3-1.1mdv2009.0.x86_64.rpm
 872195ee41e00405d03ab18010bd15d9  2009.0/x86_64/lib64neon0.27-devel-0.28.3-1.1mdv2009.0.x86_64.rpm
 f841222c663bc8506e6e0e87a165c6b7  2009.0/x86_64/lib64neon0.27-static-devel-0.28.3-1.1mdv2009.0.x86_64.rpm 
 14cbfad698a74067a74199807e8c9282  2009.0/SRPMS/libneon0.27-0.28.3-1.1mdv2009.0.src.rpm

MES5 i586

 a2209a398a7f98673c5bd459dfa1fd58  mes5/i586/libneon0.27-0.28.3-1.1mdvmes5.i586.rpm
 18631025bb665c21dcbd4ef75986dc2f  mes5/i586/libneon0.27-devel-0.28.3-1.1mdvmes5.i586.rpm
 b216b56ea349e57db0bd1a06791c1192  mes5/i586/libneon0.27-static-devel-0.28.3-1.1mdvmes5.i586.rpm 
 2cd59a4c7297629446c6c0779363d6fd  mes5/SRPMS/libneon0.27-0.28.3-1.1mdvmes5.src.rpm

2009.1 i586

 14c6caacb5e2b3f9e0a2e7b7924ba1e3  2009.1/i586/libneon0.27-0.28.3-2.1mdv2009.1.i586.rpm
 242e3182440acc212408d03d27ba9a08  2009.1/i586/libneon0.27-devel-0.28.3-2.1mdv2009.1.i586.rpm
 71701b0c1b6931979cb6eabe377522aa  2009.1/i586/libneon0.27-static-devel-0.28.3-2.1mdv2009.1.i586.rpm 
 58bd3f3f6ac9178d9e4903fa88fd5862  2009.1/SRPMS/libneon0.27-0.28.3-2.1mdv2009.1.src.rpm

2009.0 i586

 9bf34661a2420bd2402cafc4565a2587  2009.0/i586/libneon0.27-0.28.3-1.1mdv2009.0.i586.rpm
 f6ed581464940115491ec68cacafe859  2009.0/i586/libneon0.27-devel-0.28.3-1.1mdv2009.0.i586.rpm
 db2dc25faa186ceb3394af63a9e2d0e6  2009.0/i586/libneon0.27-static-devel-0.28.3-1.1mdv2009.0.i586.rpm 
 14cbfad698a74067a74199807e8c9282  2009.0/SRPMS/libneon0.27-0.28.3-1.1mdv2009.0.src.rpm

2008.1 i586

 26729257d5b2255a8a6242cfe6931dc9  2008.1/i586/libneon0.27-0.28.3-0.2mdv2008.1.i586.rpm
 992af0611f69a2e4043f29faf50de608  2008.1/i586/libneon0.27-devel-0.28.3-0.2mdv2008.1.i586.rpm
 71e83652b0aa875f404ecf0df9409184  2008.1/i586/libneon0.27-static-devel-0.28.3-0.2mdv2008.1.i586.rpm 
 a4b59dd8d54e66de85f70186c7726269  2008.1/SRPMS/libneon0.27-0.28.3-0.2mdv2008.1.src.rpm

CS4.0 i586

 6c92c285d835d3d283c820bbe14fa013  corporate/4.0/i586/libneon0.27-0.28.3-0.2.20060mlcs4.i586.rpm
 ae72e53a686010d7b31e56bee90000e5  corporate/4.0/i586/libneon0.27-devel-0.28.3-0.2.20060mlcs4.i586.rpm
 1814371725d85bb607af694a074fc816  corporate/4.0/i586/libneon0.27-static-devel-0.28.3-0.2.20060mlcs4.i586.rpm 
 617b5c9c0bf440531b571e34409023b3  corporate/4.0/SRPMS/libneon0.27-0.28.3-0.2.20060mlcs4.src.rpm

CS4.0 x86_64

 9db63260cab1c01d8f6e3882f719a8a6  corporate/4.0/x86_64/lib64neon0.27-0.28.3-0.2.20060mlcs4.x86_64.rpm
 526df150c547d98fdeeda8241774bcbf  corporate/4.0/x86_64/lib64neon0.27-devel-0.28.3-0.2.20060mlcs4.x86_64.rpm
 02fa7448bb3a59c6f0947a2e96983813  corporate/4.0/x86_64/lib64neon0.27-static-devel-0.28.3-0.2.20060mlcs4.x86_64.rpm 
 617b5c9c0bf440531b571e34409023b3  corporate/4.0/SRPMS/libneon0.27-0.28.3-0.2.20060mlcs4.src.rpm

2008.1 x86_64

 56eb9b74f3e2202ac683377a16799c70  2008.1/x86_64/lib64neon0.27-0.28.3-0.2mdv2008.1.x86_64.rpm
 f688d9a1285f19e7b80997b52a147a60  2008.1/x86_64/lib64neon0.27-devel-0.28.3-0.2mdv2008.1.x86_64.rpm
 08f5058e8dc35470e8cdc8cf9cb16381  2008.1/x86_64/lib64neon0.27-static-devel-0.28.3-0.2mdv2008.1.x86_64.rpm 
 a4b59dd8d54e66de85f70186c7726269  2008.1/SRPMS/libneon0.27-0.28.3-0.2mdv2008.1.src.rpm

2009.1 x86_64

 5ac6a8cefa50849e32957b821ec1ef8c  2009.1/x86_64/lib64neon0.27-0.28.3-2.1mdv2009.1.x86_64.rpm
 5b801b45bf9d73a59b7eb0a4b350431f  2009.1/x86_64/lib64neon0.27-devel-0.28.3-2.1mdv2009.1.x86_64.rpm
 72e5bce2285b22ccd6b6f68c8c47bff8  2009.1/x86_64/lib64neon0.27-static-devel-0.28.3-2.1mdv2009.1.x86_64.rpm 
 58bd3f3f6ac9178d9e4903fa88fd5862  2009.1/SRPMS/libneon0.27-0.28.3-2.1mdv2009.1.src.rpm

MES5 x86_64

 ee892ef74cca60e827899a0d9e06c8cd  mes5/x86_64/lib64neon0.27-0.28.3-1.1mdvmes5.x86_64.rpm
 db0c1a9ab2315bf05dc35382349d4534  mes5/x86_64/lib64neon0.27-devel-0.28.3-1.1mdvmes5.x86_64.rpm
 0c131d6264ef181e0b3870c8eb438b36  mes5/x86_64/lib64neon0.27-static-devel-0.28.3-1.1mdvmes5.x86_64.rpm 
 2cd59a4c7297629446c6c0779363d6fd  mes5/SRPMS/libneon0.27-0.28.3-1.1mdvmes5.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473