thr3ads.net - Secure testing team - [Secure-testing-team] Bug#541439: CVE-2009-2730: does not properly handle a ''\0'' character [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Aug-14 08:39 UTC

[Secure-testing-team] Bug#541439: CVE-2009-2730: does not properly handle a ''\0'' character

Package: gnutls26
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnutls26.

CVE-2009-2730[0]:
| libgnutls in GnuTLS before 2.8.2 does not properly handle a
''\0''
| character in a domain name in the subject''s (1) Common Name (CN) or
| (2) Subject Alternative Name (SAN) field of an X.509 certificate,
| which allows man-in-the-middle attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Could you check if gnutls13 is affected please?

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730
    http://security-tracker.debian.net/tracker/CVE-2009-2730

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqFIqkACgkQNxpp46476aoZcgCfdLyZVjvkaqi7aETk/La0YfwG
yg4Anj98j4y2XQkLkmgD+1kFY1xgyRf9
=+CWA
-----END PGP SIGNATURE-----

Secure testing team - Aug 2009 - Bug#541439: CVE-2009-2730: does not properly handle a '\0' character

[Secure-testing-team] Bug#541439: CVE-2009-2730: does not properly handle a ''\0'' character