Rapid7 Vulnerability & Exploit Database

RHSA-2009:1452: neon security update

Back to Search

RHSA-2009:1452: neon security update

Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
08/21/2009
Created
07/25/2018
Added
09/21/2009
Modified
05/25/2020

Description

neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '

neon is an HTTP and WebDAV client library, with a C interface. It providesa high-level interface to HTTP and WebDAV methods along with a low-levelinterface for HTTP request handling. neon supports persistent connections,proxy servers, basic, digest and Kerberos authentication, and has completeSSL support.It was discovered that neon is affected by the previously published "nullprefix attack", caused by incorrect handling of NULL characters in X.509certificates. If an attacker is able to get a carefully-crafted certificatesigned by a trusted Certificate Authority, the attacker could use thecertificate during a man-in-the-middle attack and potentially confuse anapplication using the neon library into accepting it by mistake.(CVE-2009-2474)A denial of service flaw was found in the neon Extensible Markup Language(XML) parser. A remote attacker (malicious DAV server) could provide aspecially-crafted XML document that would cause excessive memory and CPUconsumption if an application using the neon XML parser was tricked intoprocessing it. (CVE-2009-2473)All neon users should upgrade to these updated packages, which containbackported patches to correct these issues. Applications using the neonHTTP and WebDAV client library, such as cadaver, must be restarted for thisupdate to take effect.

' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Solution(s)

  • redhat-upgrade-neon
  • redhat-upgrade-neon-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;