[Pkg-openldap-devel] Bug#572005: openldap: CVE-2009-2408 certificate spoofing via null characters
Michael Gilbert
michael.s.gilbert at gmail.com
Sun Feb 28 21:09:46 UTC 2010
Package: openldap
Version: 2.4.17-2.1
Severity: important
Tags: security
Hi, the following CVE (Common Vulnerabilities & Exposures) id was
published for openldap.
CVE-2009-2408[0]:
| Mozilla Network Security Services (NSS) before 3.12.3, Firefox before
| 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do
| not properly handle a '\0' character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows
| man-in-the-middle attackers to spoof arbitrary SSL servers via a
| crafted certificate issued by a legitimate Certification
| Authority. NOTE: this was originally reported for Firefox before 3.5.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
I've checked that the patch [1] is not applied in the latest version in
unstable; however, there is a note that isn't very clear about whether
this is actually needed [2], but perhaps to err on the side of caution,
it should be applied regardless.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://security-tracker.debian.org/tracker/CVE-2009-2408
[1] http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
[2] http://marc.info/?l=oss-security&m=125198917018936&w=2
More information about the Pkg-openldap-devel
mailing list