neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '
neon is an HTTP and WebDAV client library, with a C interface. It providesa high-level interface to HTTP and WebDAV methods along with a low-levelinterface for HTTP request handling. neon supports persistent connections,proxy servers, basic, digest and Kerberos authentication, and has completeSSL support.It was discovered that neon is affected by the previously published "nullprefix attack", caused by incorrect handling of NULL characters in X.509certificates. If an attacker is able to get a carefully-crafted certificatesigned by a trusted Certificate Authority, the attacker could use thecertificate during a man-in-the-middle attack and potentially confuse anapplication using the neon library into accepting it by mistake.(CVE-2009-2474)A denial of service flaw was found in the neon Extensible Markup Language(XML) parser. A remote attacker (malicious DAV server) could provide aspecially-crafted XML document that would cause excessive memory and CPUconsumption if an application using the neon XML parser was tricked intoprocessing it. (CVE-2009-2473)All neon users should upgrade to these updated packages, which containbackported patches to correct these issues. Applications using the neonHTTP and WebDAV client library, such as cadaver, must be restarted for thisupdate to take effect.
' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.