Giuseppe Iuculano
2010-Jan-10 13:15 UTC
[Secure-testing-team] Bug#564581: CVE-2009-4565: does not properly handle a ''\0'' character in a Common Name (CN) field of an X.509 certificate
Package: sendmail
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sendmail.
CVE-2009-4565[0]:
| sendmail before 8.14.4 does not properly handle a ''\0''
character in a
| Common Name (CN) field of an X.509 certificate, which (1) allows
| man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers
| via a crafted server certificate issued by a legitimate Certification
| Authority, and (2) allows remote attackers to bypass intended access
| restrictions via a crafted client certificate issued by a legitimate
| Certification Authority, a related issue to CVE-2009-2408.
Please coordinate with the security team (team at security.debian.org) to
prepare packages for the stable and oldstable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
http://security-tracker.debian.org/tracker/CVE-2009-4565
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktJ0v8ACgkQNxpp46476arSPQCggai2b9hxDmyUNjQC57+13y9H
TcgAoIsxCtp300SC4dBed2rvBNziY1sy
=Ob7s
-----END PGP SIGNATURE-----