Executive Summary
Summary | |
---|---|
Title | neon vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-835-1 | First vendor Publication | 2009-09-21 |
Vendor | Ubuntu | Last vendor Modification | 2009-09-21 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 8.04 LTS: Ubuntu 8.10: Ubuntu 9.04: In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Joe Orton discovered that neon did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. |
Original Source
Url : http://www.ubuntu.com/usn/USN-835-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-326 | Inadequate Encryption Strength |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11721 | |||
Oval ID: | oval:org.mitre.oval:def:11721 | ||
Title: | neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||
Description: | neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2474 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22944 | |||
Oval ID: | oval:org.mitre.oval:def:22944 | ||
Title: | ELSA-2009:1452: neon security update (Moderate) | ||
Description: | neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1452-01 CVE-2009-2473 CVE-2009-2474 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | neon |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29270 | |||
Oval ID: | oval:org.mitre.oval:def:29270 | ||
Title: | RHSA-2009:1452 -- neon security update (Moderate) | ||
Description: | Updated neon packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. neon is an HTTP and WebDAV client library, with a C interface. It provides a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:1452 CESA-2009:1452-CentOS 5 CVE-2009-2473 CVE-2009-2474 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 CentOS Linux 5 | Product(s): | neon |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-09-07 | Name : Mac OS X v10.6.4 Multiple Vulnerabilities (2010-007) File : nvt/gb_macosx_su10-007.nasl |
2011-08-09 | Name : CentOS Update for neon CESA-2009:1452 centos4 i386 File : nvt/gb_CESA-2009_1452_neon_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for neon CESA-2009:1452 centos5 i386 File : nvt/gb_CESA-2009_1452_neon_centos5_i386.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:315 (libneon) File : nvt/mdksa_2009_315.nasl |
2009-09-28 | Name : RedHat Security Advisory RHSA-2009:1452 File : nvt/RHSA_2009_1452.nasl |
2009-09-28 | Name : CentOS Security Advisory CESA-2009:1452 (neon) File : nvt/ovcesa2009_1452.nasl |
2009-09-15 | Name : Mandrake Security Advisory MDVSA-2009:228 (libneon) File : nvt/mdksa_2009_228.nasl |
2009-09-02 | Name : Mandrake Security Advisory MDVSA-2009:221 (libneon0.27) File : nvt/mdksa_2009_221.nasl |
2009-08-27 | Name : Neon Certificate Spoofing and Denial of Service Vulnerability File : nvt/secpod_neon_cert_spoofing_n_dos_vuln.nasl |
2009-03-13 | Name : Mandrake Security Advisory MDVSA-2009:074 (libneon0.27) File : nvt/mdksa_2009_074.nasl |
2009-02-17 | Name : Fedora Update for neon FEDORA-2008-7661 File : nvt/gb_fedora_2008_7661_neon_fc9.nasl |
2008-09-17 | Name : FreeBSD Ports: neon28 File : nvt/freebsd_neon28.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
57514 | neon w/ OpenSSL X.509 Certificate Authority (CA) Common Name Null Byte Handli... |
47676 | neon src/ne_auth.c parse_domain() Function NULL Dereference Remote DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1452.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090921_neon_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2010-11-10 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_5.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1452.nasl - Type : ACT_GATHER_INFO |
2009-12-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-315.nasl - Type : ACT_GATHER_INFO |
2009-09-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1452.nasl - Type : ACT_GATHER_INFO |
2009-09-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-835-1.nasl - Type : ACT_GATHER_INFO |
2009-08-25 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-221.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8794.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8815.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libneon-devel-080821.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-074.nasl - Type : ACT_GATHER_INFO |
2008-10-16 | Name : The remote Fedora host is missing a security update. File : fedora_2008-7661.nasl - Type : ACT_GATHER_INFO |
2008-09-12 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_755fa51980a911dd8de50030843d3802.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:06:16 |
|