thr3ads.net - Secure testing team - [Secure-testing-team] Bug#549293: CVE-2009-3490: does not properly handle a ''\0'' character in a domain name in the Common Name field of an X.509 certificate [Oct 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Oct-02 07:39 UTC

[Secure-testing-team] Bug#549293: CVE-2009-3490: does not properly handle a ''\0'' character in a domain name in the Common Name field of an X.509 certificate

Package: wget
Version: 1.11.4-4
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wget.

CVE-2009-3490[0]:
| GNU Wget before 1.12 does not properly handle a ''\0''
character in a
| domain name in the Common Name field of an X.509 certificate, which
| allows man-in-the-middle remote attackers to spoof arbitrary SSL
| servers via a crafted certificate issued by a legitimate Certification
| Authority, a related issue to CVE-2009-2408.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3490
    http://security-tracker.debian.net/tracker/CVE-2009-3490


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrFrkwACgkQNxpp46476aqi+gCePfmrLdxhk/yebah+M5rMO0uC
P3oAn3EA9CZ+IdC2g0Da3eIlIKLEtT8Q
=346W
-----END PGP SIGNATURE-----

Secure testing team - Oct 2009 - Bug#549293: CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate

[Secure-testing-team] Bug#549293: CVE-2009-3490: does not properly handle a ''\0'' character in a domain name in the Common Name field of an X.509 certificate