Changes in release 0.28.6: * SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat; could allow a Denial of Service attack by a malicious server. * SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a certificate subject name with OpenSSL; could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert.
net-misc/neon-0.28.6 is now in the tree. Additional informations: http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html
Please stabilize net-misc/neon-0.28.6.
Sorry Arches, we need a newer GnuTLS as well. You'll be readded when it is ready. From Redhat's bugzie/Joe Orton: "If neon is linked against GnuTLS, version 2.8.2 or later must be used to avoid the vulnerability." Arfrever, please raise the dependency. Currently there is ">=net-libs/gnutls-2.0".
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001047.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001048.html
x86 stable
Stable for HPPA.
CVE-2009-2473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2473): neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. CVE-2009-2474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2474): neon before 0.28.6, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
ppc stable
ppc64 done
alpha/arm/ia64/s390/sh/sparc stable
amd64 stable. Arfrever, please remove the old, vulnerable versions. GLSA voting: YES.
(In reply to comment #11) > amd64 stable. > Arfrever, please remove the old, vulnerable versions. > GLSA voting: YES. > I nuked the old versions while doing built_with_use cleanup.
Yes, too. Request filed.
How will a GLSA help users 2 years or more after fixing of the bug in the tree?
spare me your attitude
This issue has been fixed since Aug 26, 2009. No GLSA will be issued.