Issued:
2009-09-21
Updated:
2009-09-21

RHSA-2009:1452 - Security Advisory

Synopsis

Moderate: neon security update

Type/Severity

Security Advisory: Moderate

Topic

Updated neon packages that fix two security issues are now available for
Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

neon is an HTTP and WebDAV client library, with a C interface. It provides
a high-level interface to HTTP and WebDAV methods along with a low-level
interface for HTTP request handling. neon supports persistent connections,
proxy servers, basic, digest and Kerberos authentication, and has complete
SSL support.

It was discovered that neon is affected by the previously published "null
prefix attack", caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted certificate
signed by a trusted Certificate Authority, the attacker could use the
certificate during a man-in-the-middle attack and potentially confuse an
application using the neon library into accepting it by mistake.
(CVE-2009-2474)

A denial of service flaw was found in the neon Extensible Markup Language
(XML) parser. A remote attacker (malicious DAV server) could provide a
specially-crafted XML document that would cause excessive memory and CPU
consumption if an application using the neon XML parser was tricked into
processing it. (CVE-2009-2473)

All neon users should upgrade to these updated packages, which contain
backported patches to correct these issues. Applications using the neon
HTTP and WebDAV client library, such as cadaver, must be restarted for this
update to take effect.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 5.4 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 5.4 ia64
  • Red Hat Enterprise Linux Server - Extended Update Support 5.4 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 4.8 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.8 ia64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.8 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 518215 - CVE-2009-2473 neon, gnome-vfs2 embedded neon: billion laughs DoS attack
  • BZ - 518223 - CVE-2009-2474 neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields

CVEs

References

Red Hat Enterprise Linux Server 5

SRPM
neon-0.25.5-10.el5_4.1.src.rpm SHA-256: f3b90a6075a926b8189bba00d64cb7978fc390d6b5f2d3a7e89224b3d1ce0f00
x86_64
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2
neon-0.25.5-10.el5_4.1.x86_64.rpm SHA-256: 1202b872eb5c9ffe4c1bde7af9ba0a87f2ca0139140a131b9a315e3f139b3608
neon-devel-0.25.5-10.el5_4.1.i386.rpm SHA-256: d7b47a48cd1780918491893b5e1e78c4427510e0395a29b9a471915182037ce8
neon-devel-0.25.5-10.el5_4.1.x86_64.rpm SHA-256: 9e882b0878c001dfd676683cf6f98083563172c90af7df9ba8a419efa98f30a7
ia64
neon-0.25.5-10.el5_4.1.ia64.rpm SHA-256: a2204908570b6f31762bd063d12e9f726fd2cb317537e2c94bd1bdd81c2a83ef
neon-devel-0.25.5-10.el5_4.1.ia64.rpm SHA-256: 58ca79824c81fbef67a312a57a415916a23c8aa050db3a6efc92eba98caddb0b
i386
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2
neon-devel-0.25.5-10.el5_4.1.i386.rpm SHA-256: d7b47a48cd1780918491893b5e1e78c4427510e0395a29b9a471915182037ce8

Red Hat Enterprise Linux Server 4

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
x86_64
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2968fa417f9109361e7c6550200a372b4bc0ce5c34bf2f25f77e89807bfcd7d4
neon-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2968fa417f9109361e7c6550200a372b4bc0ce5c34bf2f25f77e89807bfcd7d4
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2525589bd9501fafd00a75dc617d23c81727a3a2e225268c9e1cb26aaf2c8887
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2525589bd9501fafd00a75dc617d23c81727a3a2e225268c9e1cb26aaf2c8887
ia64
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.ia64.rpm SHA-256: 638e2e72f91f377d31dedba9e206e692a73de0117c24b1360630a1b627aa5bf6
neon-0.24.7-4.el4_8.2.ia64.rpm SHA-256: 638e2e72f91f377d31dedba9e206e692a73de0117c24b1360630a1b627aa5bf6
neon-devel-0.24.7-4.el4_8.2.ia64.rpm SHA-256: c3baf408151a66a80f7eea510aec68b4dd18475cd55dc74ee4118d8390099187
neon-devel-0.24.7-4.el4_8.2.ia64.rpm SHA-256: c3baf408151a66a80f7eea510aec68b4dd18475cd55dc74ee4118d8390099187
i386
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-devel-0.24.7-4.el4_8.2.i386.rpm SHA-256: 62645d1dcbdc06f32131781d5654249468bb7f68deded9f38f6746607f3bc969
neon-devel-0.24.7-4.el4_8.2.i386.rpm SHA-256: 62645d1dcbdc06f32131781d5654249468bb7f68deded9f38f6746607f3bc969

Red Hat Enterprise Linux Server - Extended Update Support 4.8

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
x86_64
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2968fa417f9109361e7c6550200a372b4bc0ce5c34bf2f25f77e89807bfcd7d4
neon-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2968fa417f9109361e7c6550200a372b4bc0ce5c34bf2f25f77e89807bfcd7d4
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2525589bd9501fafd00a75dc617d23c81727a3a2e225268c9e1cb26aaf2c8887
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2525589bd9501fafd00a75dc617d23c81727a3a2e225268c9e1cb26aaf2c8887
ia64
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.ia64.rpm SHA-256: 638e2e72f91f377d31dedba9e206e692a73de0117c24b1360630a1b627aa5bf6
neon-0.24.7-4.el4_8.2.ia64.rpm SHA-256: 638e2e72f91f377d31dedba9e206e692a73de0117c24b1360630a1b627aa5bf6
neon-devel-0.24.7-4.el4_8.2.ia64.rpm SHA-256: c3baf408151a66a80f7eea510aec68b4dd18475cd55dc74ee4118d8390099187
neon-devel-0.24.7-4.el4_8.2.ia64.rpm SHA-256: c3baf408151a66a80f7eea510aec68b4dd18475cd55dc74ee4118d8390099187
i386
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-devel-0.24.7-4.el4_8.2.i386.rpm SHA-256: 62645d1dcbdc06f32131781d5654249468bb7f68deded9f38f6746607f3bc969
neon-devel-0.24.7-4.el4_8.2.i386.rpm SHA-256: 62645d1dcbdc06f32131781d5654249468bb7f68deded9f38f6746607f3bc969

Red Hat Enterprise Linux Workstation 5

SRPM
neon-0.25.5-10.el5_4.1.src.rpm SHA-256: f3b90a6075a926b8189bba00d64cb7978fc390d6b5f2d3a7e89224b3d1ce0f00
x86_64
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2
neon-0.25.5-10.el5_4.1.x86_64.rpm SHA-256: 1202b872eb5c9ffe4c1bde7af9ba0a87f2ca0139140a131b9a315e3f139b3608
neon-devel-0.25.5-10.el5_4.1.i386.rpm SHA-256: d7b47a48cd1780918491893b5e1e78c4427510e0395a29b9a471915182037ce8
neon-devel-0.25.5-10.el5_4.1.x86_64.rpm SHA-256: 9e882b0878c001dfd676683cf6f98083563172c90af7df9ba8a419efa98f30a7
i386
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2
neon-devel-0.25.5-10.el5_4.1.i386.rpm SHA-256: d7b47a48cd1780918491893b5e1e78c4427510e0395a29b9a471915182037ce8

Red Hat Enterprise Linux Workstation 4

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
x86_64
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2968fa417f9109361e7c6550200a372b4bc0ce5c34bf2f25f77e89807bfcd7d4
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2525589bd9501fafd00a75dc617d23c81727a3a2e225268c9e1cb26aaf2c8887
ia64
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.ia64.rpm SHA-256: 638e2e72f91f377d31dedba9e206e692a73de0117c24b1360630a1b627aa5bf6
neon-devel-0.24.7-4.el4_8.2.ia64.rpm SHA-256: c3baf408151a66a80f7eea510aec68b4dd18475cd55dc74ee4118d8390099187
i386
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-devel-0.24.7-4.el4_8.2.i386.rpm SHA-256: 62645d1dcbdc06f32131781d5654249468bb7f68deded9f38f6746607f3bc969

Red Hat Enterprise Linux Desktop 5

SRPM
neon-0.25.5-10.el5_4.1.src.rpm SHA-256: f3b90a6075a926b8189bba00d64cb7978fc390d6b5f2d3a7e89224b3d1ce0f00
x86_64
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2
neon-0.25.5-10.el5_4.1.x86_64.rpm SHA-256: 1202b872eb5c9ffe4c1bde7af9ba0a87f2ca0139140a131b9a315e3f139b3608
i386
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2

Red Hat Enterprise Linux Desktop 4

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
x86_64
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2968fa417f9109361e7c6550200a372b4bc0ce5c34bf2f25f77e89807bfcd7d4
neon-devel-0.24.7-4.el4_8.2.x86_64.rpm SHA-256: 2525589bd9501fafd00a75dc617d23c81727a3a2e225268c9e1cb26aaf2c8887
i386
neon-0.24.7-4.el4_8.2.i386.rpm SHA-256: a791773e764a48f76c35fac4480d1388219ce2aeb4ddac74234da1fddf8220d5
neon-devel-0.24.7-4.el4_8.2.i386.rpm SHA-256: 62645d1dcbdc06f32131781d5654249468bb7f68deded9f38f6746607f3bc969

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
neon-0.25.5-10.el5_4.1.src.rpm SHA-256: f3b90a6075a926b8189bba00d64cb7978fc390d6b5f2d3a7e89224b3d1ce0f00
s390x
neon-0.25.5-10.el5_4.1.s390.rpm SHA-256: d635340f098bfff6fc9ef361897738612d3807ab4500cab4ad2cf092cfafbb2d
neon-0.25.5-10.el5_4.1.s390x.rpm SHA-256: 9924d0336ca34a6204c302bcd64283750565689f61100c84c3a3a124f018b8a7
neon-devel-0.25.5-10.el5_4.1.s390.rpm SHA-256: e562ec76ac5986ef0bfc3a5874434518c7514644a944839a07bc2da5cc2e5910
neon-devel-0.25.5-10.el5_4.1.s390x.rpm SHA-256: 876d47f5bc3e2ba33394cfa14f66bb4f454f397d4a1699f833f99e4df5cc981e

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
s390x
neon-0.24.7-4.el4_8.2.s390.rpm SHA-256: 211a0b7985a873d23abd75236c8e8c2f68c5cad084579549c04c88c0da9e65e1
neon-0.24.7-4.el4_8.2.s390x.rpm SHA-256: 6925a6a4c04872d37ee3438479c74e2d4b847bb7561a162c4f2bcf82f2003da3
neon-devel-0.24.7-4.el4_8.2.s390x.rpm SHA-256: 73da6205a979eba397834e8353258c064fca17e7864964a117edce67d4f5cea5
s390
neon-0.24.7-4.el4_8.2.s390.rpm SHA-256: 211a0b7985a873d23abd75236c8e8c2f68c5cad084579549c04c88c0da9e65e1
neon-devel-0.24.7-4.el4_8.2.s390.rpm SHA-256: 3410a2272e3d7c8ac37f8d95104f2de13ee1cf81b0357aeaa006e4e366bffd62

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
s390x
neon-0.24.7-4.el4_8.2.s390.rpm SHA-256: 211a0b7985a873d23abd75236c8e8c2f68c5cad084579549c04c88c0da9e65e1
neon-0.24.7-4.el4_8.2.s390x.rpm SHA-256: 6925a6a4c04872d37ee3438479c74e2d4b847bb7561a162c4f2bcf82f2003da3
neon-devel-0.24.7-4.el4_8.2.s390x.rpm SHA-256: 73da6205a979eba397834e8353258c064fca17e7864964a117edce67d4f5cea5
s390
neon-0.24.7-4.el4_8.2.s390.rpm SHA-256: 211a0b7985a873d23abd75236c8e8c2f68c5cad084579549c04c88c0da9e65e1
neon-devel-0.24.7-4.el4_8.2.s390.rpm SHA-256: 3410a2272e3d7c8ac37f8d95104f2de13ee1cf81b0357aeaa006e4e366bffd62

Red Hat Enterprise Linux for Power, big endian 5

SRPM
neon-0.25.5-10.el5_4.1.src.rpm SHA-256: f3b90a6075a926b8189bba00d64cb7978fc390d6b5f2d3a7e89224b3d1ce0f00
ppc
neon-0.25.5-10.el5_4.1.ppc.rpm SHA-256: f2fe121c97da06c9279a9d4b87a7aa5d20934d077bd192ebde4ec543eb987b82
neon-0.25.5-10.el5_4.1.ppc64.rpm SHA-256: 35ba743edabc46e71244ebc97f5b3499a91980997125e8de4ccc4bec6a4ec61a
neon-devel-0.25.5-10.el5_4.1.ppc.rpm SHA-256: be001cc0c93de7d5e61738da1b0d96110786010566342f00fbccf9bf77924687
neon-devel-0.25.5-10.el5_4.1.ppc64.rpm SHA-256: a85cd5d3132ca8109af721301efdcd386f1b240f2f0680eb94b68283f4de9d5b

Red Hat Enterprise Linux for Power, big endian 4

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
ppc
neon-0.24.7-4.el4_8.2.ppc.rpm SHA-256: bfb02eba4349133c939fbc65c1428f9118c4a8c2a3eb3a00a3e198e20c6ed655
neon-0.24.7-4.el4_8.2.ppc64.rpm SHA-256: 10b5f63e553cf14b033c881d95f82bb8f2c9f5219dec4b2906b93b67cb006c1d
neon-devel-0.24.7-4.el4_8.2.ppc.rpm SHA-256: 9b30dc56518cabbf820621649175601d1ce1da366454b2d88b0c55019703a325

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8

SRPM
neon-0.24.7-4.el4_8.2.src.rpm SHA-256: cbdffb5255db84a1bb5286b1c6417213d55b8b0f9a1bec2b902b211853135427
ppc
neon-0.24.7-4.el4_8.2.ppc.rpm SHA-256: bfb02eba4349133c939fbc65c1428f9118c4a8c2a3eb3a00a3e198e20c6ed655
neon-0.24.7-4.el4_8.2.ppc64.rpm SHA-256: 10b5f63e553cf14b033c881d95f82bb8f2c9f5219dec4b2906b93b67cb006c1d
neon-devel-0.24.7-4.el4_8.2.ppc.rpm SHA-256: 9b30dc56518cabbf820621649175601d1ce1da366454b2d88b0c55019703a325

Red Hat Enterprise Linux Server from RHUI 5

SRPM
neon-0.25.5-10.el5_4.1.src.rpm SHA-256: f3b90a6075a926b8189bba00d64cb7978fc390d6b5f2d3a7e89224b3d1ce0f00
x86_64
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2
neon-0.25.5-10.el5_4.1.x86_64.rpm SHA-256: 1202b872eb5c9ffe4c1bde7af9ba0a87f2ca0139140a131b9a315e3f139b3608
neon-devel-0.25.5-10.el5_4.1.i386.rpm SHA-256: d7b47a48cd1780918491893b5e1e78c4427510e0395a29b9a471915182037ce8
neon-devel-0.25.5-10.el5_4.1.x86_64.rpm SHA-256: 9e882b0878c001dfd676683cf6f98083563172c90af7df9ba8a419efa98f30a7
i386
neon-0.25.5-10.el5_4.1.i386.rpm SHA-256: e1064391a73bbcc69d9cbab73b6319ad6c5cb741a567908c08ff6e7b435b17b2
neon-devel-0.25.5-10.el5_4.1.i386.rpm SHA-256: d7b47a48cd1780918491893b5e1e78c4427510e0395a29b9a471915182037ce8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.