Bug 537927 (CVE-2009-3941) - CVE-2009-3941 mpop NULL character certificate flaw
Summary: CVE-2009-3941 mpop NULL character certificate flaw
Alias: CVE-2009-3941
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Depends On: 537928 537929 537930 537931
TreeView+ depends on / blocked
Reported: 2009-11-16 20:35 UTC by Josh Bressers
Modified: 2019-09-29 12:33 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-11-28 17:21:20 UTC

Attachments (Terms of Use)

Description Josh Bressers 2009-11-16 20:35:05 UTC
Martin Lambers mpop before 1.0.19, when OpenSSL is used, does not
properly handle a '\0' character in a domain name in the (1) subject's
Common Name or (2) Subject Alternative Name field of an X.509
certificate, which allows man-in-the-middle attackers to spoof
arbitrary SSL servers via a crafted certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.

Reference: CONFIRM:http://mpop.sourceforge.net/news.html
Reference: URL:http://secunia.com/advisories/37312
Reference: URL:http://www.vupen.com/english/advisories/2009/3225

Comment 1 Josh Bressers 2009-11-16 20:35:54 UTC
Created mpop tracking bugs for this issue

CVE-2009-3941 Affects: F10 [bug #537928]
CVE-2009-3941 Affects: F11 [bug #537929]
CVE-2009-3941 Affects: F12 [bug #537930]
CVE-2009-3941 Affects: Fdevel [bug #537931]

Comment 2 Fedora Update System 2009-11-16 23:25:29 UTC
mpop-1.0.19-1.fc11 has been submitted as an update for Fedora 11.

Comment 3 Fedora Update System 2009-11-16 23:25:44 UTC
mpop-1.0.19-1.fc12 has been submitted as an update for Fedora 12.

Comment 4 Tomas Hoger 2009-11-22 18:24:32 UTC
(In reply to comment #0)
> Martin Lambers mpop before 1.0.19, when OpenSSL is used

Fedora mpop and msmtp packages are using GnuTLS, hence should not need this fix.  My tests with --serverinfo always result in "the certificate owner does not match hostname" error.  Ok to close:notabug and change update requests to bugfix / enhancement?

Note You need to log in before you can comment on or make changes to this bug.