[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] More CVE-2009-2408 like issues
From: Tomas Hoger <thoger () redhat ! com>
Date: 2009-09-03 14:45:47
Message-ID: 20090903164547.38b4fa40 () redhat ! com
[Download RAW message or body]
Hi!
CVE-2009-2408-like problems were identified and fixed in some more
applications...
wget - bunch of relevant links are available in here:
https://bugzilla.redhat.com/show_bug.cgi?id=520454
mutt, when using OpenSSL, fixed via:
http://dev.mutt.org/trac/changeset/6016:dc09812e63a3/mutt_ssl.c
This only applies to 1.5.19 and later, as no name check was done in
earlier versions when OpenSSL was used for crypto, which is a problem
by itself:
http://dev.mutt.org/trac/ticket/3087
Qt got CVE-2009-2700, earlier versions of KDE use own crypto wrapper
implemented in kdelibs, which is affected too:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2702
OpenLDAP upstream did some changes that addressed this in OpenSSL
wrapping code, along with change related to handling of multiple CNs:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.8&r2=1.11&f=h
They also changed GnuTLS code to check the last CN instead of the first
one, but this was not affected by CVE-2009-2408-like problems:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_g.c.diff?r1=1.13&r2=1.14&f=h
NSS wrapper was re-written too to do name checking itself and not rely
on NSS (CVE-2009-2408 should likely apply here directly and patched
NSS should be sufficient to address null prefix issue in this case;
I've not tested though, do your own tests if you build OpenLDAP with
NSS):
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
--
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic