Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22379
HistoryAug 25, 2009 - 12:00 a.m.

[ MDVSA-2009:221 ] libneon0.27

2009-08-2500:00:00
vulners.com
29
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mandriva Linux Security Advisory MDVSA-2009:221
http://www.mandriva.com/security/

Package : libneon0.27
Date : August 24, 2009
Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0

Problem Description:

Multiple vulnerabilities has been found and corrected in libneon0.27:

neon before 0.28.6, when expat is used, does not properly detect
recursion during entity expansion, which allows context-dependent
attackers to cause a denial of service (memory and CPU consumption)
via a crafted XML document containing a large number of nested entity
references, a similar issue to CVE-2003-1564 (CVE-2009-2473).

neon before 0.28.6, when OpenSSL is used, does not properly handle a
'\0' (NUL) character in a domain name in the subject's Common Name
(CN) field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408 (CVE-2009-2474).

This update provides a solution to these vulnerabilities.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474

Updated Packages:

Mandriva Linux 2008.1:
26729257d5b2255a8a6242cfe6931dc9 2008.1/i586/libneon0.27-0.28.3-0.2mdv2008.1.i586.rpm
992af0611f69a2e4043f29faf50de608 2008.1/i586/libneon0.27-devel-0.28.3-0.2mdv2008.1.i586.rpm
71e83652b0aa875f404ecf0df9409184 2008.1/i586/libneon0.27-static-devel-0.28.3-0.2mdv2008.1.i586.rpm
a4b59dd8d54e66de85f70186c7726269 2008.1/SRPMS/libneon0.27-0.28.3-0.2mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
56eb9b74f3e2202ac683377a16799c70 2008.1/x86_64/lib64neon0.27-0.28.3-0.2mdv2008.1.x86_64.rpm
f688d9a1285f19e7b80997b52a147a60 2008.1/x86_64/lib64neon0.27-devel-0.28.3-0.2mdv2008.1.x86_64.rpm
08f5058e8dc35470e8cdc8cf9cb16381 2008.1/x86_64/lib64neon0.27-static-devel-0.28.3-0.2mdv2008.1.x86_64.rpm
a4b59dd8d54e66de85f70186c7726269 2008.1/SRPMS/libneon0.27-0.28.3-0.2mdv2008.1.src.rpm

Mandriva Linux 2009.0:
9bf34661a2420bd2402cafc4565a2587 2009.0/i586/libneon0.27-0.28.3-1.1mdv2009.0.i586.rpm
f6ed581464940115491ec68cacafe859 2009.0/i586/libneon0.27-devel-0.28.3-1.1mdv2009.0.i586.rpm
db2dc25faa186ceb3394af63a9e2d0e6 2009.0/i586/libneon0.27-static-devel-0.28.3-1.1mdv2009.0.i586.rpm
14cbfad698a74067a74199807e8c9282 2009.0/SRPMS/libneon0.27-0.28.3-1.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
3a86cf10f1df3feaea91ae64e28f3e8d 2009.0/x86_64/lib64neon0.27-0.28.3-1.1mdv2009.0.x86_64.rpm
872195ee41e00405d03ab18010bd15d9 2009.0/x86_64/lib64neon0.27-devel-0.28.3-1.1mdv2009.0.x86_64.rpm
f841222c663bc8506e6e0e87a165c6b7 2009.0/x86_64/lib64neon0.27-static-devel-0.28.3-1.1mdv2009.0.x86_64.rpm
14cbfad698a74067a74199807e8c9282 2009.0/SRPMS/libneon0.27-0.28.3-1.1mdv2009.0.src.rpm

Mandriva Linux 2009.1:
14c6caacb5e2b3f9e0a2e7b7924ba1e3 2009.1/i586/libneon0.27-0.28.3-2.1mdv2009.1.i586.rpm
242e3182440acc212408d03d27ba9a08 2009.1/i586/libneon0.27-devel-0.28.3-2.1mdv2009.1.i586.rpm
71701b0c1b6931979cb6eabe377522aa 2009.1/i586/libneon0.27-static-devel-0.28.3-2.1mdv2009.1.i586.rpm
58bd3f3f6ac9178d9e4903fa88fd5862 2009.1/SRPMS/libneon0.27-0.28.3-2.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
5ac6a8cefa50849e32957b821ec1ef8c 2009.1/x86_64/lib64neon0.27-0.28.3-2.1mdv2009.1.x86_64.rpm
5b801b45bf9d73a59b7eb0a4b350431f 2009.1/x86_64/lib64neon0.27-devel-0.28.3-2.1mdv2009.1.x86_64.rpm
72e5bce2285b22ccd6b6f68c8c47bff8 2009.1/x86_64/lib64neon0.27-static-devel-0.28.3-2.1mdv2009.1.x86_64.rpm
58bd3f3f6ac9178d9e4903fa88fd5862 2009.1/SRPMS/libneon0.27-0.28.3-2.1mdv2009.1.src.rpm

Corporate 4.0:
6c92c285d835d3d283c820bbe14fa013 corporate/4.0/i586/libneon0.27-0.28.3-0.2.20060mlcs4.i586.rpm
ae72e53a686010d7b31e56bee90000e5 corporate/4.0/i586/libneon0.27-devel-0.28.3-0.2.20060mlcs4.i586.rpm
1814371725d85bb607af694a074fc816 corporate/4.0/i586/libneon0.27-static-devel-0.28.3-0.2.20060mlcs4.i586.rpm
617b5c9c0bf440531b571e34409023b3 corporate/4.0/SRPMS/libneon0.27-0.28.3-0.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
9db63260cab1c01d8f6e3882f719a8a6 corporate/4.0/x86_64/lib64neon0.27-0.28.3-0.2.20060mlcs4.x86_64.rpm
526df150c547d98fdeeda8241774bcbf corporate/4.0/x86_64/lib64neon0.27-devel-0.28.3-0.2.20060mlcs4.x86_64.rpm
02fa7448bb3a59c6f0947a2e96983813 corporate/4.0/x86_64/lib64neon0.27-static-devel-0.28.3-0.2.20060mlcs4.x86_64.rpm
617b5c9c0bf440531b571e34409023b3 corporate/4.0/SRPMS/libneon0.27-0.28.3-0.2.20060mlcs4.src.rpm

Mandriva Enterprise Server 5:
a2209a398a7f98673c5bd459dfa1fd58 mes5/i586/libneon0.27-0.28.3-1.1mdvmes5.i586.rpm
18631025bb665c21dcbd4ef75986dc2f mes5/i586/libneon0.27-devel-0.28.3-1.1mdvmes5.i586.rpm
b216b56ea349e57db0bd1a06791c1192 mes5/i586/libneon0.27-static-devel-0.28.3-1.1mdvmes5.i586.rpm
2cd59a4c7297629446c6c0779363d6fd mes5/SRPMS/libneon0.27-0.28.3-1.1mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
ee892ef74cca60e827899a0d9e06c8cd mes5/x86_64/lib64neon0.27-0.28.3-1.1mdvmes5.x86_64.rpm
db0c1a9ab2315bf05dc35382349d4534 mes5/x86_64/lib64neon0.27-devel-0.28.3-1.1mdvmes5.x86_64.rpm
0c131d6264ef181e0b3870c8eb438b36 mes5/x86_64/lib64neon0.27-static-devel-0.28.3-1.1mdvmes5.x86_64.rpm
2cd59a4c7297629446c6c0779363d6fd mes5/SRPMS/libneon0.27-0.28.3-1.1mdvmes5.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKkvLkmqjQ0CJFipgRAq6qAJ9cjtiGVrF46gPqCQlUYpyiTrM/uwCgm9Wp
0gkprOAZM9dbBhPRDNeWeEs=
=E/sr
-----END PGP SIGNATURE-----

Related

openvas 54
nessus 47
veracode 2
ubuntucve 11
prion 26
cve 25
debiancve 12
oraclelinux 2
redhat 3
securityvulns 2
centos 2
altlinux 2
fedora 2
seebug 2
mozilla 1
threatpost 1
exploitdb 1
github 1
freebsd 1
osv 2
openvas
openvas
Mandrake Security Advisory MDVSA-2009:221 (libneon0.27)
2009-09-02 00:00:00
Mandrake Security Advisory MDVSA-2009:221 (libneon0.27)
2009-09-02 00:00:00
CentOS Update for neon CESA-2009:1452 centos4 i386
2011-08-09 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : libneon0.27 (MDVSA-2009:221)
2009-08-25 00:00:00
CentOS 4 / 5 : neon (CESA-2009:1452)
2010-01-06 00:00:00
Fedora 11 : neon-0.28.6-1.fc11 (2009-8815)
2009-08-24 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-01-15 08:53:01
Man-in-the-Middle (MitM)
2020-04-10 00:33:40
ubuntucve
ubuntucve
CVE-2009-2473
2009-08-21 00:00:00
CVE-2009-2474
2009-08-21 00:00:00
CVE-2003-1564
2003-12-31 00:00:00
prion
prion
Code injection
2009-08-21 17:30:00
Design/Logic Flaw
2009-08-21 17:30:00
Code injection
2009-07-30 19:30:00
cve
cve
CVE-2009-2473
2009-08-21 17:30:00
CVE-2009-2474
2009-08-21 17:30:00
CVE-2003-1564
2003-12-31 05:00:00
debiancve
debiancve
CVE-2009-2473
2009-08-21 17:30:00
CVE-2009-2474
2009-08-21 17:30:00
CVE-2009-2408
2009-07-30 19:30:00
oraclelinux
oraclelinux
neon security update
2009-09-21 00:00:00
gnome-vfs2 security and bug fix update
2013-01-11 00:00:00
redhat
redhat
(RHSA-2009:1452) Moderate: neon security update
2009-09-21 00:00:00
(RHSA-2013:0131) Low: gnome-vfs2 security and bug fix update
2013-01-08 00:00:00
(RHSA-2008:0886) Important: libxml2 security update
2008-09-11 00:00:00
securityvulns
securityvulns
libneon certificate spoofing
2009-08-25 00:00:00
Mozilla Foundation Security Advisory 2009-42
2009-08-07 00:00:00
centos
centos
neon security update
2009-09-22 13:46:23
gnome security update
2013-01-09 19:45:49
altlinux
altlinux
Security fix for the ALT Linux 5 package gnome-vfs version 1:2.24.3-alt2
2010-09-27 00:00:00
Security fix for the ALT Linux 5 package gnome-vfs version 1:2.24.4-alt0.M50P.1
2010-11-13 00:00:00
fedora
fedora
[SECURITY] Fedora 11 Update: neon-0.28.6-1.fc11
2009-08-20 21:03:23
[SECURITY] Fedora 10 Update: neon-0.28.6-1.fc10
2009-08-20 20:59:38
seebug
seebug
Neon XML文档解析拒绝服务漏洞
2009-08-26 00:00:00
Mozilla Firefox NULL字符CA SSL证书验证安全绕过漏洞
2009-07-31 00:00:00
mozilla
mozilla
Compromise of SSL-protected communication — Mozilla
2009-08-01 00:00:00
threatpost
threatpost
Apple Safari
2009-12-29 21:50:26
exploitdb
exploitdb
Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability
2009-06-30 00:00:00
github
github
SnakeYAML Entity Expansion during load operation
2021-06-04 21:37:45
freebsd
freebsd
ejabberd -- remote denial of service vulnerability
2011-04-27 00:00:00
osv
osv
CVE-2017-18640
2019-12-12 03:15:10
JBossWS vulnerable to uncontrolled recursion
2022-05-13 01:39:29
JSON
Related for SECURITYVULNS:DOC:22379
openvas54nessus47veracode2ubuntucve11prion26cve25debiancve12oraclelinux2redhat3securityvulns2centos2altlinux2fedora2seebug2mozilla1threatpost1exploitdb1github1freebsd1osv2