Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2009-3767

Published: 23 October 2009

libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Notes

AuthorNote
mdeslaur
openldap in hardy and intrepid only have gnutls backend
we compile jaunty-lucid with gnutls, not openssl
so we're not vulnerable to this. (debian/configure.options)

openldap2 in dapper has been patched with gnutls support, so
not vulnerable. This is the library to which all dapper
applications are linked, to not conflict with the openssl
license.

openldap2.2 in dapper uses openssl and is vulnerable.

Priority

Medium

Status

Package Release Status
openldap
Launchpad, Ubuntu, Debian
upstream Needs triage

dapper Does not exist

hardy Does not exist

intrepid Not vulnerable
(code not present)
jaunty Not vulnerable
(not compiled with openssl)
karmic Not vulnerable
(not compiled with openssl)
Patches:
upstream: http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.8&r2=1.11&f=h
upstream: http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.11&r2=1.12&hideattic=1&sortbydate=0 (related?)
openldap2.3
Launchpad, Ubuntu, Debian
upstream Needs triage

dapper Does not exist

hardy Not vulnerable
(code not present)
intrepid Does not exist

jaunty Does not exist

karmic Does not exist

openldap2.2
Launchpad, Ubuntu, Debian
upstream Needs triage

dapper
Released (2.2.26-5ubuntu2.9)
hardy Does not exist

intrepid Does not exist

jaunty Does not exist

karmic Does not exist

openldap2
Launchpad, Ubuntu, Debian
upstream Needs triage

dapper Not vulnerable
(compiled with gnutls patch)
hardy Does not exist

intrepid Does not exist

jaunty Does not exist

karmic Does not exist