Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290664 (CVE-2009-3639) - <net-ftp/proftpd-1.3.2b subjectAltName TLS certificate spoofing (CVE-2009-3639)
Summary: <net-ftp/proftpd-1.3.2b subjectAltName TLS certificate spoofing (CVE-2009-3639)
Alias: CVE-2009-3639
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2009-10-26 23:16 UTC by Tobias Heinlein (RETIRED)
Modified: 2009-11-07 14:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 23:16:54 UTC
From secunia:

A security issue has been reported in ProFTPD, which can be exploited by malicious people to conduct spoofing attacks.

The security issues is caused due to an error in the "mod_tls" module when processing client SSL certificates. This can be exploited to trick a server into accepting a potentially malicious SSL certificate by including a NULL character in the "subjectAltName" certificate field.

Update to version 1.3.2b.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 23:18:13 UTC
Maintainers, please bump.
Comment 2 Bernard Cafarelli gentoo-dev 2009-10-27 07:29:36 UTC
1.3.2b and 1.3.3_rc3 are in tree (from bug #290262), I suggest stabling 1.3.2b
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-27 07:38:45 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-28 21:39:13 UTC
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2009-10-30 17:12:22 UTC
alpha/sparc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2009-10-30 17:59:29 UTC
Stable for HPPA.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-10-31 13:13:06 UTC
ppc64 done
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-31 19:30:43 UTC
CVE-2009-3639 (
  The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before
  1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not
  properly handle a '\0' character in a domain name in the Subject
  Alternative Name field of an X.509 client certificate, which allows
  remote attackers to bypass intended client-hostname restrictions via
  a crafted certificate issued by a legitimate Certification Authority,
  a related issue to CVE-2009-2408.

Comment 9 nixnut (RETIRED) gentoo-dev 2009-11-01 16:00:45 UTC
ppc stable
Comment 10 Markus Meier gentoo-dev 2009-11-04 11:23:40 UTC
amd64 stable, all arches done.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-04 18:42:23 UTC
Ready to vote, I vote NO.
I know that we had GLSAs for curl and wget on the same technical issue, but those are used by other software extensively (think of libcurl in php etc.).
Comment 12 Tony Vroon gentoo-dev 2009-11-06 14:09:56 UTC
GLSA vote: No.
While SFTP is in active use around the world, FTPS is in fact rare. Use of client certificates for FTPS is something I haven't even seen in use anywhere. The target audience is very, very small.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 15:30:51 UTC
Closing noglsa.
Feel free to reopen if you think otherwise.