Summary: | <net-ftp/proftpd-1.3.2b subjectAltName TLS certificate spoofing (CVE-2009-3639) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chtekk, net-ftp |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/37131/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tobias Heinlein (RETIRED)
2009-10-26 23:16:54 UTC
Maintainers, please bump. 1.3.2b and 1.3.3_rc3 are in tree (from bug #290262), I suggest stabling 1.3.2b Arches, please test and mark stable: =net-ftp/proftpd-1.3.2b Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" x86 stable alpha/sparc stable Stable for HPPA. ppc64 done CVE-2009-3639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3639): The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. ppc stable amd64 stable, all arches done. Ready to vote, I vote NO. I know that we had GLSAs for curl and wget on the same technical issue, but those are used by other software extensively (think of libcurl in php etc.). GLSA vote: No. While SFTP is in active use around the world, FTPS is in fact rare. Use of client certificates for FTPS is something I haven't even seen in use anywhere. The target audience is very, very small. Closing noglsa. Feel free to reopen if you think otherwise. |