Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 290345

Summary: <net-nds/openldap-2.4.19-r1 X.509 NUL character spoofing (CVE-2009-3767)
Product: Gentoo Security Reporter: Arseny Solokha <asolokha>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ldap-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openldap.org/software/release/changes.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Arseny Solokha 2009-10-24 09:45:00 UTC
OpenLDAP 2.4.19 released on October 6, 2009. Follow URL to learn release notes for 2.4.18 and 2.4.19.

Reproducible: Always

Steps to Reproduce:
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-26 18:31:07 UTC
CVE-2009-3767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3767):
  libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not
  properly handle a '\0' character in a domain name in the subject's
  Common Name (CN) field of an X.509 certificate, which allows
  man-in-the-middle attackers to spoof arbitrary SSL servers via a
  crafted certificate issued by a legitimate Certification Authority, a
  related issue to CVE-2009-2408.

Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-03 21:12:51 UTC
2.4.19 added to CVS now, go for stabilization.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-11-04 02:31:53 UTC
Arches, please test and mark stable:
=net-nds/openldap-2.4.19
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-04 16:59:02 UTC
x86 stable
Comment 5 Jeroen Roovers gentoo-dev 2009-11-05 19:57:19 UTC
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2009-11-05 20:12:12 UTC
amd64 stable
Comment 7 Markus Meier gentoo-dev 2009-11-06 16:33:18 UTC
arm stable, all arches done.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-06 16:37:48 UTC
(In reply to comment #7)
> arm stable, all arches done.
> 

not quite ;o
Comment 9 Tobias Klausmann gentoo-dev 2009-11-07 22:20:19 UTC
Stable on alpha.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-11-15 11:48:58 UTC
ia64/s390/sh/sparc stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-11-17 16:17:15 UTC
ppc64 done
Comment 12 nixnut (RETIRED) gentoo-dev 2009-11-21 20:05:54 UTC
ppc stable
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-28 22:25:58 UTC
security: all arches are done. When you issue the GLSA, please use 2.4.19-r1 as the version. It contains an additional compile-fix and an upgrade safety check over 2.4.19-r0.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:03:50 UTC
GLSA vote: no.
Comment 15 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-20 08:51:08 UTC
I vote YES.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:30:11 UTC
YES too, request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-07-01 00:21:59 UTC
This issue was resolved and addressed in
 GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).