CVE-2009-2474: fix handling of NUL in SSL cert subject names

Joe Orton joe at manyfish.co.uk
Wed Aug 19 17:07:03 EDT 2009


On Wed, Aug 19, 2009 at 07:52:14PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> 2009-08-18 17:51:03 Joe Orton napisał(a):
> > If neon is linked against GnuTLS, version 2.8.2 or later must be used to 
> > avoid the vulnerability.
> 
> Do you mean that Neon 0.28.6 with GnuTLS 2.8.1 is vulnerable or that
> Neon 0.28.5 with GnuTLS 2.8.2 isn't vulnerable?

I researched this further when confirming the answer, and in fact, my 
statement above was not correct.  New statement:

1. Versions of neon up to and including 0.28.5 are vulnerable to one or 
more of the embedded-NUL-byte issues, for all versions of GnuTLS 
available (including 2.8.2 and later).

2. neon version 0.28.6 is not vulnerable to any of the the 
embedded-NUL-byte issues, for all versions of GnuTLS available 
(including 2.8.1 and earlier).

Hope that is clear!

Regards, Joe



More information about the neon mailing list