[go: up one dir, main page]
|
|
Subscribe / Log in / New account

Search results

Query:
Filters:
Content typeCategories
 LWN Feature article
 Guest article
 News item
 Email item
 Security alert
 Security vulnerability
 Kernel patch
 Comment		  Announcements
 Briefs
 Commerce
 Development
 Distributions
 Front
 Kernel
 Legal
 Letters
 Press
 Security
Order by: relevance date

Search results

Mandriva security update to php
([Security] Posted Jan 22, 2014 17:23 UTC (Wed) by ris )

CVE-2009-2408
 (CVE-2013-4248).
 
 The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP
 before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not
 properly parse (1) notBefore and (2) notAfter timestamps in X.509
 certificates, which allows remote attackers to execute arbitrary
 code or cause

Mandriva security update to php
([Security] Posted Aug 27, 2013 15:24 UTC (Tue) by ris )

CVE-2009-2408
 (CVE-2013-4248).
 
 Additionally a patch has been applied to fix an UMR (Unitialized
 Memory Read) bug in the original fix for CVE-2013-4248.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248 
  http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dc... 
  http://git.php.net/?p=php-src.git;a=commit;h=c1c49d6e3983... 
 _______________________________________________________________________

 Updated Packages

python: man in the middle attack
([Security] Posted Aug 26, 2013 16:09 UTC (Mon) by ris )

CVE entry:
 
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408

php: multiple vulnerabilities
([Security] Posted Aug 26, 2013 16:08 UTC (Mon) by ris )

CVE entries:
 
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. (CVE-2011-4718)
 
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408

Gentoo security update to firefox
([Security] Posted Jan 8, 2013 17:31 UTC (Tue) by ris )

CVE-2009-1306
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1306 
[  79 ] CVE-2009-1307
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1307 
[  80 ] CVE-2009-1308
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1308 
[  81 ] CVE-2009-1309
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1309 
[  82 ] CVE-2009-1310
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1310 
[  83 ] CVE-2009-1311
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1311 
[  84 ] CVE-2009-1312
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1312 
[  85 ] CVE-2009-1313
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1313 
[  86 ] CVE-2009-1392
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1392 
[  87 ] CVE-2009-1563
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1563 
[  88 ] CVE-2009-1571
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1571 
[  89 ] CVE-2009-1828
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1828 
[  90 ] CVE-2009-1832
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1832 
[  91 ] CVE-2009-1833
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1833 
[  92 ] CVE-2009-1834
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1834 
[  93 ] CVE-2009-1835
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1835 
[  94 ] CVE-2009-1836
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1836 
[  95 ] CVE-2009-1837
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1837 
[  96 ] CVE-2009-1838
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1838 
[  97 ] CVE-2009-1839
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1839 
[  98 ] CVE-2009-1840
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1840 
[  99 ] CVE-2009-1841
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1841 
[ 100 ] CVE-2009-2043
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2043 
[ 101 ] CVE-2009-2044
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2044 
[ 102 ] CVE-2009-2061
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2061 
[ 103 ] CVE-2009-2065
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2065 
[ 104 ] CVE-2009-2210
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2210 
[ 105 ] CVE-2009-2404
         http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2404 
[ 106 ] CVE-2009-2408

msmtp: X.509 NULL spoofing
([Security] Posted Jun 26, 2012 17:41 UTC (Tue) by ris )

CVE entry:
 
Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408

Mandriva security update to kdelibs4
([Security] Posted Nov 1, 2011 17:55 UTC (Tue) by ris )

CVE-2009-2408
 (CVE-2009-2702).
 
 An input sanitization flaw was found in the KSSL (KDE SSL Wrapper)
 API. An attacker could supply a specially-crafted SSL certificate
 (for example, via a web page) to an application using KSSL, such
 as the Konqueror web browser, causing misleading information to be
 presented

libesmtp: certificate spoofing
([Security] Posted Oct 5, 2010 18:06 UTC (Tue) by ris )

CVE-2009-2408
 (CVE-2010-1192).
 
The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and
possibly other versions including 1.0.4, treats two strings as equal if
one is a substring of the other, which allows remote attackers to spoof
trusted certificates via a crafted subjectAltName (CVE

Mandriva security update to libesmtp
([Security] Posted Oct 5, 2010 16:21 UTC (Tue) by ris )

CVE-2009-2408
 (CVE-2010-1192).
 
 The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and
 possibly other versions including 1.0.4, treats two strings as equal if
 one is a substring of the other, which allows remote attackers to spoof
 trusted certificates via a crafted subjectAltName (CVE

w3m: man-in-the-middle attack
([Security] Posted Jul 9, 2010 20:23 UTC (Fri) by ris )

CVE entry:
 
istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408

Debian security update to icedove
([Security] Posted Mar 31, 2010 18:07 UTC (Wed) by corbet )

CVE-2009-2408 CVE-2009-2404 CVE-2009-2463
                 CVE-2009-3072 CVE-2009-3075 CVE-2010-0163

Several remote vulnerabilities have been discovered in the Icedove
mail client, an unbranded version of the Thunderbird mail client. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2009-2408

Mandriva security update to kdelibs4
([Security] Posted Jan 27, 2010 19:26 UTC (Wed) by corbet )

CVE-2009-2408 (CVE-2009-2702).
 
 KDE Konqueror allows remote attackers to cause a denial of service
 (memory consumption) via a large integer value for the length property
 of a Select object, a related issue to CVE-2009-1692 (CVE-2009-2537).
 
 The gdtoa (aka new dtoa) implementation in gdtoa/misc.c

Mandriva security update to kdelibs4
([Security] Posted Jan 27, 2010 19:26 UTC (Wed) by corbet )

CVE-2009-2408 (CVE-2009-2702).
 
 The JavaScript garbage collector in WebKit in Apple Safari before
 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
 through 2.2.1 does not properly handle allocation failures, which
 allows remote attackers to execute arbitrary code or cause a denial
 of service

Mandriva security update to openldap
([Security] Posted Jan 26, 2010 18:38 UTC (Tue) by ris )

CVE-2009-2408 (CVE-2009-3767).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767 
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 05d27c8e50b79e16c345756251c5e819  2008.0/i586/libldap2.3_0-2.3.38-3.4mdv2008.0.i586.rpm
 c3b564ed72214c88e4f97b754baec0d3  2008.0/i586/libldap2.3_0-devel-2.3.38-3.4mdv2008.0.i586.rpm
 cb184b75f27937fbf10bee2c4526ccb8
2008.0/i586/libldap2.3_0-static-devel-2.3.38-3.4mdv2008.0.i586.rpm
 53a1cb617be31adf8002d03c975242df  2008.0/i586/openldap-2.3.38-3.4mdv2008.0.i586.rpm
 48114cab21906ac3f736d669ea9c1a21  2008.0/i586/openldap-clients-2.3.38-3.4mdv2008.0.i586.rpm

sendmail: several vulnerabilities
([Security] Posted Jan 12, 2010 19:38 UTC (Tue) by ris )

allows man-in-the-middle attackers to spoof arbitrary SSL-based
 SMTP servers via a crafted server certificate issued by a legitimate
 Certification Authority, and (2) allows remote attackers to bypass
 intended access restrictions via a crafted client certificate issued by
 a legitimate Certification Authority, a related issue to CVE-2009-2408

Mandriva security update to sendmail
([Security] Posted Jan 12, 2010 19:38 UTC (Tue) by ris )

CVE-2009-2408
 (CVE-2009-4565).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 This update provides a fix for this vulnerability.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565 
  http://www.sendmail.org/releases/8.14.4 
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 59415398189b3fcf81482a0aa548e2f4  2008.0/i586/sendmail-8.14.1-2.1mdv2008.0.i586.rpm
 ea981097f72996a76eba3db1ca168c68  2008.0/i586/sendmail-cf-8.14.1-2.1mdv2008.0.i586.rpm
 19d0308e739e5d2c1c3f4fa26cc58b83  2008.0/i586/sendmail-devel-8.14.1-2.1mdv2008.0.i586.rpm
 ec7b8d7a0ef153e7a6eb892f0e37b5de  2008.0/i586/sendmail-doc-8.14.1-2.1mdv2008.0.i586.rpm 
 0db8b791cbd6ab9c5acbb4d36dfc2011  2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm

Mandriva security update to kdelibs
([Security] Posted Dec 10, 2009 18:26 UTC (Thu) by cook )

CVE-2009-1698)
 
 WebKit in Apple Safari before 4.0.2, KHTML in kdelibs in KDE, QtWebKit
 (aka Qt toolkit), and possibly other products does not properly handle
 numeric character references, which allows remote attackers to execute
 arbitrary code or cause a denial of service (memory corruption and
 application crash) via a crafted HTML document. (CVE-2009-1725)
 
 KDE Konqueror allows remote attackers to cause a denial of service
 (memory consumption) via a large integer value for the length property
 of a Select object, a related issue to CVE-2009-1692. (CVE-2009-2537)
 
 KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
 '\0' (NUL) character in a domain name in the Subject Alternative Name
 field of an X.509 certificate, which allows man-in-the-middle attackers
 to spoof arbitrary SSL servers via a crafted certificate issued by a
 legitimate Certification Authority, a related issue to CVE-2009-2408

Mandriva security update to wget
([Security] Posted Dec 4, 2009 19:10 UTC (Fri) by ris )

-2009:206-1 ] wget   
   Date : 
    	         Fri, 04 Dec 2009 14:35:00 +0100  
   Message-ID : 
    	         <E1NGYJI-0006Jm-RQ@titan.mandriva.com>  

  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2009:206-1
  http://www.mandriva.com/security/ 
 _______________________________________________________________________

 Package : wget
 Date    : December 4, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in wget:
 
 GNU Wget before 1.12 does not properly handle a '\0' (NUL) character
 in a domain name in the Common Name field of an X.509 certificate,
 which allows man-in-the-middle remote attackers to spoof arbitrary SSL
 servers via a crafted certificate issued by a legitimate Certification
 Authority, a related issue to CVE-2009-2408

Mandriva security update to curl
([Security] Posted Dec 4, 2009 19:02 UTC (Fri) by ris )

-2009:203-1 ] curl   
   Date : 
    	         Fri, 04 Dec 2009 04:22:00 +0100  
   Message-ID : 
    	         <E1NGOk4-0005xX-DX@titan.mandriva.com>  

  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2009:203-1
  http://www.mandriva.com/security/ 
 _______________________________________________________________________

 Package : curl
 Date    : December 4, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in curl:
 
 lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is
 used, does not properly handle a '\0' character in a domain name in
 the subject's Common Name (CN) field of an X.509 certificate, which
 allows man-in-the-middle attackers to spoof arbitrary SSL servers via
 a crafted certificate issued by a legitimate Certification Authority,
 a related issue to CVE-2009-2408

Mandriva security update to libneon
([Security] Posted Dec 4, 2009 18:35 UTC (Fri) by ris )

-2009:315 ] libneon   
   Date : 
    	         Fri, 04 Dec 2009 18:37:00 +0100  
   Message-ID : 
    	         <E1NGc5U-0003yb-5n@titan.mandriva.com>  

  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:315
  http://www.mandriva.com/security/ 
 _______________________________________________________________________

 Package : libneon
 Date    : December 4, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in libneo:
 
 neon before 0.28.6, when OpenSSL is used, does not properly handle a
 '\0' (NUL) character in a domain name in the subject's Common Name
 (CN) field of an X.509 certificate, which allows man-in-the-middle
 attackers to spoof arbitrary SSL servers via a crafted certificate
 issued by a legitimate Certification Authority, a related issue to
 CVE-2009-2408

Mandriva security update to fetchmail
([Security] Posted Dec 4, 2009 18:33 UTC (Fri) by ris )

-2009:201-1 ] fetchmail   
   Date : 
    	         Fri, 04 Dec 2009 04:11:00 +0100  
   Message-ID : 
    	         <E1NGOZQ-0005vR-NT@titan.mandriva.com>  

  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2009:201-1
  http://www.mandriva.com/security/ 
 _______________________________________________________________________

 Package : fetchmail
 Date    : December 4, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in fetchmail:
 
 socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
 (NUL) character in a domain name in the subject's Common Name (CN)
 and subjectAlt(ernative)Name fields of an X.509 certificate, which
 allows man-in-the-middle attackers to spoof arbitrary SSL servers via
 a crafted certificate issued by a legitimate Certification Authority,
 a related issue to CVE-2009-2408

Mandriva security update to nss
([Security] Posted Dec 3, 2009 19:15 UTC (Thu) by cook )

CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
 cause a denial-of-service and possible code execution via a long
 domain name in X.509 certificate (CVE-2009-2404).
 
 This update provides the latest versions of NSS and NSPR libraries
 which are not vulnerable to those attacks

Mandriva security update to mozilla-thunderbird
([Security] Posted Dec 3, 2009 19:15 UTC (Thu) by cook )

CVE-2009-2408).
 
 A vulnerability was found in xmltok_impl.c (expat) that with
 specially crafted XML could be exploited and lead to a denial of
 service attack. Related to CVE-2009-2625 (CVE-2009-3720).
 
 This update provides the latest version of Thunderbird which are not
 vulnerable to these issues

SuSE security update to cyrus-imapd, neon/libneon, freeradius, strongswan, openldap2, apache2-mod_jk, expat, xpdf, mozilla-nspr
([Security] Posted Nov 10, 2009 18:54 UTC (Tue) by ris )

CVE-2008-5519, CVE-2009-1563, CVE-2009-2408
                                CVE-2009-2473, CVE-2009-2661, CVE-2009-3111
				CVE-2009-3235, CVE-2009-3603, CVE-2009-3604
				CVE-2009-3605, CVE-2009-3606, CVE-2009-3608
				CVE-2009-3609, CVE-2009-3720, MFSA 2009-59

    Content of this advisory:
        1) Solved

Mandriva security update to proftpd
([Security] Posted Oct 26, 2009 18:12 UTC (Mon) by jake )

-2009:288 ] proftpd   
   Date : 
    	         Sat, 24 Oct 2009 01:31:02 +0200  
   Message-ID : 
    	         <E1N1Tb4-0005pE-FR@titan.mandriva.com>  

  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:288
  http://www.mandriva.com/security/ 
 _______________________________________________________________________

 Package : proftpd
 Date    : October 23, 2009
 Affected: 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
           Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been identified and corrected in proftpd:
 
 The mod_tls module in proftpd < 1.3.2b is vulnerable to a similar
 security issue as CVE-2009-2408


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds