Red Hat Bugzilla – Bug 459620
CVE-2008-3746 neon: NULL ptr dereference in the Digest authentication support (DoS possible)
Last modified: 2008-10-16 03:35:47 EDT
A NULL pointer deference in the Digest authentication support in neon
versions 0.28.0 through 0.28.2 inclusive allows a malicious server to
crash a client application, resulting in possible denial of service.
CVE-2008-3746: This issue does not affect the versions of the neon package,
as shipped with Red Hat Enteprise Linux 4 and 5.
CVE-2008-3746: This issue affects the versions of the neon package,
as shipped with Fedora release 8 and 9.
According to Joe's mail, this issue should only affect 0.28.0 - 0.28.2, so Fedora 8 packages should be unaffected, as those are based on 0.27.x:
Patch applied in upstream version 0.28.3:
neon-0.28.3-1.fc9 has been submitted as an update for Fedora 9.
neon-0.28.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: