neon-0.25.5-10AXS3.1

エラータID: AXSA:2009-403:02

Release date: 
Wednesday, September 30, 2009 - 14:20
Subject: 
neon-0.25.5-10AXS3.1
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

neon is an HTTP and WebDAV client library, with a C interface; providing a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support.
Security bugs fixed by this release:
CVE-2009-2473
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
CVE-2009-2474
neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Solution: 

Update packages.

CVEs: 
CVE-2009-2473
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
CVE-2009-2474
neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Additional Info: 

N/A

Download: 

SRPMS
  1. neon-0.25.5-10AXS3.1.src.rpm
    MD5: a274df164a920013b1fbc082440f77ad
    SHA-256: 37bc8c889b7e19a729fd375170f7c755f97f05b83e6789dc2761b827103a65c0
    Size: 764.57 kB

Asianux Server 3 for x86
  1. neon-0.25.5-10AXS3.1.i386.rpm
    MD5: a2a3bfdf7dabfefceda03432c61a553e
    SHA-256: 12f59244f8d1b3933610f1da25428d93ecfc365b56ba667ba5a90b57863b6d64
    Size: 101.50 kB

Asianux Server 3 for x86_64
  1. neon-0.25.5-10AXS3.1.x86_64.rpm
    MD5: f6ae8343ee43494bb8c4f8ae9eedf62a
    SHA-256: fe5de20c4440d9c824945844919e2a8c3de885f6bf59eff061edce9670fc05a7
    Size: 100.33 kB