Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290345 - <net-nds/openldap-2.4.19-r1 X.509 NUL character spoofing (CVE-2009-3767)
Summary: <net-nds/openldap-2.4.19-r1 X.509 NUL character spoofing (CVE-2009-3767)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.openldap.org/software/rele...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-24 09:45 UTC by Arseny Solokha
Modified: 2014-07-01 00:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arseny Solokha 2009-10-24 09:45:00 UTC 
OpenLDAP 2.4.19 released on October 6, 2009. Follow URL to learn release notes for 2.4.18 and 2.4.19.

Reproducible: Always

Steps to Reproduce:
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-26 18:31:07 UTC 
CVE-2009-3767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3767):
  libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not
  properly handle a '\0' character in a domain name in the subject's
  Common Name (CN) field of an X.509 certificate, which allows
  man-in-the-middle attackers to spoof arbitrary SSL servers via a
  crafted certificate issued by a legitimate Certification Authority, a
  related issue to CVE-2009-2408.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-03 21:12:51 UTC 
2.4.19 added to CVS now, go for stabilization.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-11-04 02:31:53 UTC 
Arches, please test and mark stable:
=net-nds/openldap-2.4.19
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-04 16:59:02 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-05 19:57:19 UTC 
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2009-11-05 20:12:12 UTC 
amd64 stable
Comment 7 Markus Meier gentoo-dev 2009-11-06 16:33:18 UTC 
arm stable, all arches done.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-06 16:37:48 UTC 
(In reply to comment #7)
> arm stable, all arches done.
> 

not quite ;o
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2009-11-07 22:20:19 UTC 
Stable on alpha.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-11-15 11:48:58 UTC 
ia64/s390/sh/sparc stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-11-17 16:17:15 UTC 
ppc64 done
Comment 12 nixnut (RETIRED) gentoo-dev 2009-11-21 20:05:54 UTC 
ppc stable
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-28 22:25:58 UTC 
security: all arches are done. When you issue the GLSA, please use 2.4.19-r1 as the version. It contains an additional compile-fix and an upgrade safety check over 2.4.19-r0.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:03:50 UTC 
GLSA vote: no.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 08:51:08 UTC 
I vote YES.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:30:11 UTC 
YES too, request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-07-01 00:21:59 UTC 
This issue was resolved and addressed in
 GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).