CVE-2009-2474: fix handling of NUL in SSL cert subject names
Joe Orton
joe at manyfish.co.uk
Wed Aug 19 17:07:03 EDT 2009
On Wed, Aug 19, 2009 at 07:52:14PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> 2009-08-18 17:51:03 Joe Orton napisał(a):
> > If neon is linked against GnuTLS, version 2.8.2 or later must be used to
> > avoid the vulnerability.
>
> Do you mean that Neon 0.28.6 with GnuTLS 2.8.1 is vulnerable or that
> Neon 0.28.5 with GnuTLS 2.8.2 isn't vulnerable?
I researched this further when confirming the answer, and in fact, my
statement above was not correct. New statement:
1. Versions of neon up to and including 0.28.5 are vulnerable to one or
more of the embedded-NUL-byte issues, for all versions of GnuTLS
available (including 2.8.2 and later).
2. neon version 0.28.6 is not vulnerable to any of the the
embedded-NUL-byte issues, for all versions of GnuTLS available
(including 2.8.1 and earlier).
Hope that is clear!
Regards, Joe
More information about the neon
mailing list