Security Advisory Moderate: neon security update

Advisory: RHSA-2009:1452-1
Type: Security Advisory
Severity: Moderate
Issued on: 2009-09-21
Last updated on: 2009-09-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20091452.xml
CVEs (cve.mitre.org): CVE-2009-2473
CVE-2009-2474

Details

Updated neon packages that fix two security issues are now available for
Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

neon is an HTTP and WebDAV client library, with a C interface. It provides
a high-level interface to HTTP and WebDAV methods along with a low-level
interface for HTTP request handling. neon supports persistent connections,
proxy servers, basic, digest and Kerberos authentication, and has complete
SSL support.

It was discovered that neon is affected by the previously published "null
prefix attack", caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted certificate
signed by a trusted Certificate Authority, the attacker could use the
certificate during a man-in-the-middle attack and potentially confuse an
application using the neon library into accepting it by mistake.
(CVE-2009-2474)

A denial of service flaw was found in the neon Extensible Markup Language
(XML) parser. A remote attacker (malicious DAV server) could provide a
specially-crafted XML document that would cause excessive memory and CPU
consumption if an application using the neon XML parser was tricked into
processing it. (CVE-2009-2473)

All neon users should upgrade to these updated packages, which contain
backported patches to correct these issues. Applications using the neon
HTTP and WebDAV client library, such as cadaver, must be restarted for this
update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
neon-0.25.5-10.el5_4.1.src.rpm     6759de2c09d4ce48afac5cb845fd8efd
 
IA-32:
neon-devel-0.25.5-10.el5_4.1.i386.rpm     0af6df5bf3a81a6928724e7c94c96da0
 
x86_64:
neon-devel-0.25.5-10.el5_4.1.i386.rpm     0af6df5bf3a81a6928724e7c94c96da0
neon-devel-0.25.5-10.el5_4.1.x86_64.rpm     51ae38d395ca3e70a7b57d74f71d2b6a
 
Red Hat Desktop (v. 4)
SRPMS:
neon-0.24.7-4.el4_8.2.src.rpm     977a376c85ecb58001d947ef5c82e6ab
 
IA-32:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-devel-0.24.7-4.el4_8.2.i386.rpm     9511224f6cff4dc072014d4db930aaa3
 
x86_64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.x86_64.rpm     4b20accba33a6ba425feadc29f01763a
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm     e496782c5ebad18d46653ddc18599fe1
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
neon-0.25.5-10.el5_4.1.src.rpm     6759de2c09d4ce48afac5cb845fd8efd
 
IA-32:
neon-0.25.5-10.el5_4.1.i386.rpm     4eebc57ab8a9fa3cb4fc5b41dfbe9149
neon-devel-0.25.5-10.el5_4.1.i386.rpm     0af6df5bf3a81a6928724e7c94c96da0
 
IA-64:
neon-0.25.5-10.el5_4.1.ia64.rpm     2a2ea193b9d1ca3e0d04695520bdc5a9
neon-devel-0.25.5-10.el5_4.1.ia64.rpm     5aa2bc6339ecb3ac8d9c0132dc73447a
 
PPC:
neon-0.25.5-10.el5_4.1.ppc.rpm     afebf80ed74b54af2e13a49517769292
neon-0.25.5-10.el5_4.1.ppc64.rpm     f1a6b3b0fdb692b4d80adb475e1216c7
neon-devel-0.25.5-10.el5_4.1.ppc.rpm     dcb65955fce496496cdefb2c777958fa
neon-devel-0.25.5-10.el5_4.1.ppc64.rpm     5228a2fde7de0c9e9535c15971082ffe
 
s390x:
neon-0.25.5-10.el5_4.1.s390.rpm     8cf9e03c320e442ca09d598cd119448c
neon-0.25.5-10.el5_4.1.s390x.rpm     495362e69038fb04632de83bca3c833d
neon-devel-0.25.5-10.el5_4.1.s390.rpm     3315cea067f1012442ad61bbb63a2e15
neon-devel-0.25.5-10.el5_4.1.s390x.rpm     ed70c0c117fa6c20a7c6ecae85c51a5b
 
x86_64:
neon-0.25.5-10.el5_4.1.i386.rpm     4eebc57ab8a9fa3cb4fc5b41dfbe9149
neon-0.25.5-10.el5_4.1.x86_64.rpm     8999c4aebcbde51750735aa89c9e6699
neon-devel-0.25.5-10.el5_4.1.i386.rpm     0af6df5bf3a81a6928724e7c94c96da0
neon-devel-0.25.5-10.el5_4.1.x86_64.rpm     51ae38d395ca3e70a7b57d74f71d2b6a
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
neon-0.24.7-4.el4_8.2.src.rpm     977a376c85ecb58001d947ef5c82e6ab
 
IA-32:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-devel-0.24.7-4.el4_8.2.i386.rpm     9511224f6cff4dc072014d4db930aaa3
 
IA-64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.ia64.rpm     12ad59ead4c089be5c4ecbd71b1925b8
neon-devel-0.24.7-4.el4_8.2.ia64.rpm     c600a579ad6150fa9aeb3be32b0d23ab
 
PPC:
neon-0.24.7-4.el4_8.2.ppc.rpm     0f2de601010ba72d1ccf63622d7dce93
neon-0.24.7-4.el4_8.2.ppc64.rpm     71e5166a457a2320f78b567da19d4db1
neon-devel-0.24.7-4.el4_8.2.ppc.rpm     5dad993d01eacbbca9e9f7e78258a308
 
s390:
neon-0.24.7-4.el4_8.2.s390.rpm     5d803c79dd3a69ff3f2e52d12b9b9a98
neon-devel-0.24.7-4.el4_8.2.s390.rpm     a5a0bba1b5770bb8d66245b8f4c7f6f2
 
s390x:
neon-0.24.7-4.el4_8.2.s390.rpm     5d803c79dd3a69ff3f2e52d12b9b9a98
neon-0.24.7-4.el4_8.2.s390x.rpm     b56359da056c04c0e80d6d71add46cc9
neon-devel-0.24.7-4.el4_8.2.s390x.rpm     0c1d8591cca07c4c3aa1b4681ac6cb0e
 
x86_64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.x86_64.rpm     4b20accba33a6ba425feadc29f01763a
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm     e496782c5ebad18d46653ddc18599fe1
 
Red Hat Enterprise Linux AS (v. 4.8.z)
SRPMS:
neon-0.24.7-4.el4_8.2.src.rpm     977a376c85ecb58001d947ef5c82e6ab
 
IA-32:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-devel-0.24.7-4.el4_8.2.i386.rpm     9511224f6cff4dc072014d4db930aaa3
 
IA-64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.ia64.rpm     12ad59ead4c089be5c4ecbd71b1925b8
neon-devel-0.24.7-4.el4_8.2.ia64.rpm     c600a579ad6150fa9aeb3be32b0d23ab
 
PPC:
neon-0.24.7-4.el4_8.2.ppc.rpm     0f2de601010ba72d1ccf63622d7dce93
neon-0.24.7-4.el4_8.2.ppc64.rpm     71e5166a457a2320f78b567da19d4db1
neon-devel-0.24.7-4.el4_8.2.ppc.rpm     5dad993d01eacbbca9e9f7e78258a308
 
s390:
neon-0.24.7-4.el4_8.2.s390.rpm     5d803c79dd3a69ff3f2e52d12b9b9a98
neon-devel-0.24.7-4.el4_8.2.s390.rpm     a5a0bba1b5770bb8d66245b8f4c7f6f2
 
s390x:
neon-0.24.7-4.el4_8.2.s390.rpm     5d803c79dd3a69ff3f2e52d12b9b9a98
neon-0.24.7-4.el4_8.2.s390x.rpm     b56359da056c04c0e80d6d71add46cc9
neon-devel-0.24.7-4.el4_8.2.s390x.rpm     0c1d8591cca07c4c3aa1b4681ac6cb0e
 
x86_64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.x86_64.rpm     4b20accba33a6ba425feadc29f01763a
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm     e496782c5ebad18d46653ddc18599fe1
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
neon-0.25.5-10.el5_4.1.src.rpm     6759de2c09d4ce48afac5cb845fd8efd
 
IA-32:
neon-0.25.5-10.el5_4.1.i386.rpm     4eebc57ab8a9fa3cb4fc5b41dfbe9149
 
x86_64:
neon-0.25.5-10.el5_4.1.i386.rpm     4eebc57ab8a9fa3cb4fc5b41dfbe9149
neon-0.25.5-10.el5_4.1.x86_64.rpm     8999c4aebcbde51750735aa89c9e6699
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
neon-0.24.7-4.el4_8.2.src.rpm     977a376c85ecb58001d947ef5c82e6ab
 
IA-32:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-devel-0.24.7-4.el4_8.2.i386.rpm     9511224f6cff4dc072014d4db930aaa3
 
IA-64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.ia64.rpm     12ad59ead4c089be5c4ecbd71b1925b8
neon-devel-0.24.7-4.el4_8.2.ia64.rpm     c600a579ad6150fa9aeb3be32b0d23ab
 
x86_64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.x86_64.rpm     4b20accba33a6ba425feadc29f01763a
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm     e496782c5ebad18d46653ddc18599fe1
 
Red Hat Enterprise Linux ES (v. 4.8.z)
SRPMS:
neon-0.24.7-4.el4_8.2.src.rpm     977a376c85ecb58001d947ef5c82e6ab
 
IA-32:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-devel-0.24.7-4.el4_8.2.i386.rpm     9511224f6cff4dc072014d4db930aaa3
 
IA-64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.ia64.rpm     12ad59ead4c089be5c4ecbd71b1925b8
neon-devel-0.24.7-4.el4_8.2.ia64.rpm     c600a579ad6150fa9aeb3be32b0d23ab
 
x86_64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.x86_64.rpm     4b20accba33a6ba425feadc29f01763a
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm     e496782c5ebad18d46653ddc18599fe1
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)
SRPMS:
neon-0.25.5-10.el5_4.1.src.rpm     6759de2c09d4ce48afac5cb845fd8efd
 
IA-32:
neon-0.25.5-10.el5_4.1.i386.rpm     4eebc57ab8a9fa3cb4fc5b41dfbe9149
neon-devel-0.25.5-10.el5_4.1.i386.rpm     0af6df5bf3a81a6928724e7c94c96da0
 
IA-64:
neon-0.25.5-10.el5_4.1.ia64.rpm     2a2ea193b9d1ca3e0d04695520bdc5a9
neon-devel-0.25.5-10.el5_4.1.ia64.rpm     5aa2bc6339ecb3ac8d9c0132dc73447a
 
PPC:
neon-0.25.5-10.el5_4.1.ppc.rpm     afebf80ed74b54af2e13a49517769292
neon-0.25.5-10.el5_4.1.ppc64.rpm     f1a6b3b0fdb692b4d80adb475e1216c7
neon-devel-0.25.5-10.el5_4.1.ppc.rpm     dcb65955fce496496cdefb2c777958fa
neon-devel-0.25.5-10.el5_4.1.ppc64.rpm     5228a2fde7de0c9e9535c15971082ffe
 
s390x:
neon-0.25.5-10.el5_4.1.s390.rpm     8cf9e03c320e442ca09d598cd119448c
neon-0.25.5-10.el5_4.1.s390x.rpm     495362e69038fb04632de83bca3c833d
neon-devel-0.25.5-10.el5_4.1.s390.rpm     3315cea067f1012442ad61bbb63a2e15
neon-devel-0.25.5-10.el5_4.1.s390x.rpm     ed70c0c117fa6c20a7c6ecae85c51a5b
 
x86_64:
neon-0.25.5-10.el5_4.1.i386.rpm     4eebc57ab8a9fa3cb4fc5b41dfbe9149
neon-0.25.5-10.el5_4.1.x86_64.rpm     8999c4aebcbde51750735aa89c9e6699
neon-devel-0.25.5-10.el5_4.1.i386.rpm     0af6df5bf3a81a6928724e7c94c96da0
neon-devel-0.25.5-10.el5_4.1.x86_64.rpm     51ae38d395ca3e70a7b57d74f71d2b6a
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
neon-0.24.7-4.el4_8.2.src.rpm     977a376c85ecb58001d947ef5c82e6ab
 
IA-32:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-devel-0.24.7-4.el4_8.2.i386.rpm     9511224f6cff4dc072014d4db930aaa3
 
IA-64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.ia64.rpm     12ad59ead4c089be5c4ecbd71b1925b8
neon-devel-0.24.7-4.el4_8.2.ia64.rpm     c600a579ad6150fa9aeb3be32b0d23ab
 
x86_64:
neon-0.24.7-4.el4_8.2.i386.rpm     617352e88e9aee566df36b06d648be02
neon-0.24.7-4.el4_8.2.x86_64.rpm     4b20accba33a6ba425feadc29f01763a
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm     e496782c5ebad18d46653ddc18599fe1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

518215 - CVE-2009-2473 neon, gnome-vfs2 embedded neon: billion laughs DoS attack
518223 - CVE-2009-2474 neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2474
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/