lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MfisQ-00035b-0K@titan.mandriva.com>
Date: Tue, 25 Aug 2009 01:23:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:221 ] libneon0.27


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:221
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libneon0.27
 Date    : August 24, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in libneon0.27:
 
 neon before 0.28.6, when expat is used, does not properly detect
 recursion during entity expansion, which allows context-dependent
 attackers to cause a denial of service (memory and CPU consumption)
 via a crafted XML document containing a large number of nested entity
 references, a similar issue to CVE-2003-1564 (CVE-2009-2473).
 
 neon before 0.28.6, when OpenSSL is used, does not properly handle a
 '\0' (NUL) character in a domain name in the subject's Common Name
 (CN) field of an X.509 certificate, which allows man-in-the-middle
 attackers to spoof arbitrary SSL servers via a crafted certificate
 issued by a legitimate Certification Authority, a related issue to
 CVE-2009-2408 (CVE-2009-2474).
 
 This update provides a solution to these vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 26729257d5b2255a8a6242cfe6931dc9  2008.1/i586/libneon0.27-0.28.3-0.2mdv2008.1.i586.rpm
 992af0611f69a2e4043f29faf50de608  2008.1/i586/libneon0.27-devel-0.28.3-0.2mdv2008.1.i586.rpm
 71e83652b0aa875f404ecf0df9409184  2008.1/i586/libneon0.27-static-devel-0.28.3-0.2mdv2008.1.i586.rpm 
 a4b59dd8d54e66de85f70186c7726269  2008.1/SRPMS/libneon0.27-0.28.3-0.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 56eb9b74f3e2202ac683377a16799c70  2008.1/x86_64/lib64neon0.27-0.28.3-0.2mdv2008.1.x86_64.rpm
 f688d9a1285f19e7b80997b52a147a60  2008.1/x86_64/lib64neon0.27-devel-0.28.3-0.2mdv2008.1.x86_64.rpm
 08f5058e8dc35470e8cdc8cf9cb16381  2008.1/x86_64/lib64neon0.27-static-devel-0.28.3-0.2mdv2008.1.x86_64.rpm 
 a4b59dd8d54e66de85f70186c7726269  2008.1/SRPMS/libneon0.27-0.28.3-0.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 9bf34661a2420bd2402cafc4565a2587  2009.0/i586/libneon0.27-0.28.3-1.1mdv2009.0.i586.rpm
 f6ed581464940115491ec68cacafe859  2009.0/i586/libneon0.27-devel-0.28.3-1.1mdv2009.0.i586.rpm
 db2dc25faa186ceb3394af63a9e2d0e6  2009.0/i586/libneon0.27-static-devel-0.28.3-1.1mdv2009.0.i586.rpm 
 14cbfad698a74067a74199807e8c9282  2009.0/SRPMS/libneon0.27-0.28.3-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 3a86cf10f1df3feaea91ae64e28f3e8d  2009.0/x86_64/lib64neon0.27-0.28.3-1.1mdv2009.0.x86_64.rpm
 872195ee41e00405d03ab18010bd15d9  2009.0/x86_64/lib64neon0.27-devel-0.28.3-1.1mdv2009.0.x86_64.rpm
 f841222c663bc8506e6e0e87a165c6b7  2009.0/x86_64/lib64neon0.27-static-devel-0.28.3-1.1mdv2009.0.x86_64.rpm 
 14cbfad698a74067a74199807e8c9282  2009.0/SRPMS/libneon0.27-0.28.3-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 14c6caacb5e2b3f9e0a2e7b7924ba1e3  2009.1/i586/libneon0.27-0.28.3-2.1mdv2009.1.i586.rpm
 242e3182440acc212408d03d27ba9a08  2009.1/i586/libneon0.27-devel-0.28.3-2.1mdv2009.1.i586.rpm
 71701b0c1b6931979cb6eabe377522aa  2009.1/i586/libneon0.27-static-devel-0.28.3-2.1mdv2009.1.i586.rpm 
 58bd3f3f6ac9178d9e4903fa88fd5862  2009.1/SRPMS/libneon0.27-0.28.3-2.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 5ac6a8cefa50849e32957b821ec1ef8c  2009.1/x86_64/lib64neon0.27-0.28.3-2.1mdv2009.1.x86_64.rpm
 5b801b45bf9d73a59b7eb0a4b350431f  2009.1/x86_64/lib64neon0.27-devel-0.28.3-2.1mdv2009.1.x86_64.rpm
 72e5bce2285b22ccd6b6f68c8c47bff8  2009.1/x86_64/lib64neon0.27-static-devel-0.28.3-2.1mdv2009.1.x86_64.rpm 
 58bd3f3f6ac9178d9e4903fa88fd5862  2009.1/SRPMS/libneon0.27-0.28.3-2.1mdv2009.1.src.rpm

 Corporate 4.0:
 6c92c285d835d3d283c820bbe14fa013  corporate/4.0/i586/libneon0.27-0.28.3-0.2.20060mlcs4.i586.rpm
 ae72e53a686010d7b31e56bee90000e5  corporate/4.0/i586/libneon0.27-devel-0.28.3-0.2.20060mlcs4.i586.rpm
 1814371725d85bb607af694a074fc816  corporate/4.0/i586/libneon0.27-static-devel-0.28.3-0.2.20060mlcs4.i586.rpm 
 617b5c9c0bf440531b571e34409023b3  corporate/4.0/SRPMS/libneon0.27-0.28.3-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 9db63260cab1c01d8f6e3882f719a8a6  corporate/4.0/x86_64/lib64neon0.27-0.28.3-0.2.20060mlcs4.x86_64.rpm
 526df150c547d98fdeeda8241774bcbf  corporate/4.0/x86_64/lib64neon0.27-devel-0.28.3-0.2.20060mlcs4.x86_64.rpm
 02fa7448bb3a59c6f0947a2e96983813  corporate/4.0/x86_64/lib64neon0.27-static-devel-0.28.3-0.2.20060mlcs4.x86_64.rpm 
 617b5c9c0bf440531b571e34409023b3  corporate/4.0/SRPMS/libneon0.27-0.28.3-0.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 a2209a398a7f98673c5bd459dfa1fd58  mes5/i586/libneon0.27-0.28.3-1.1mdvmes5.i586.rpm
 18631025bb665c21dcbd4ef75986dc2f  mes5/i586/libneon0.27-devel-0.28.3-1.1mdvmes5.i586.rpm
 b216b56ea349e57db0bd1a06791c1192  mes5/i586/libneon0.27-static-devel-0.28.3-1.1mdvmes5.i586.rpm 
 2cd59a4c7297629446c6c0779363d6fd  mes5/SRPMS/libneon0.27-0.28.3-1.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 ee892ef74cca60e827899a0d9e06c8cd  mes5/x86_64/lib64neon0.27-0.28.3-1.1mdvmes5.x86_64.rpm
 db0c1a9ab2315bf05dc35382349d4534  mes5/x86_64/lib64neon0.27-devel-0.28.3-1.1mdvmes5.x86_64.rpm
 0c131d6264ef181e0b3870c8eb438b36  mes5/x86_64/lib64neon0.27-static-devel-0.28.3-1.1mdvmes5.x86_64.rpm 
 2cd59a4c7297629446c6c0779363d6fd  mes5/SRPMS/libneon0.27-0.28.3-1.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKkvLkmqjQ0CJFipgRAq6qAJ9cjtiGVrF46gPqCQlUYpyiTrM/uwCgm9Wp
0gkprOAZM9dbBhPRDNeWeEs=
=E/sr
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ