Re: neon 0.28.6 - CVE-2009-2473, CVE-2009-2474

[Joe Orton <jorton () redhat com>]

On Tue, Aug 18, 2009 at 04:57:01PM +0100, Joe Orton wrote:
> * SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in
>   a certificate subject name with OpenSSL; could allow an undetected
>   MITM attack against an SSL server if a trusted CA issues such a cert.

I implied here, and stated in the message to the mailing list, that neon 
was not affected by this issue if linked against GnuTLS 2.8.2 or later, 
rather than OpenSSL.  This was not correct.  

Versions of neon <= 0.28.5 linked against any version of GnuTLS 
(including >= 2.8.2) are still vulnerable to at least one type of 
embedded-NUL issue.  

It is necessary to upgrade to neon 0.28.6 to fix the issue completely, 
if built against GnuTLS.

So far as this vulnerability affects neon, it is neither sufficient nor 
necessary to update to GnuTLS 2.8.2.  (i.e. neon 0.28.6 will not be 
vulnerable if linked against older versions of GnuTLS)

Apologies for the confusion, and hope this is clear.

Regards, Joe