CVE-2009-3639 in Ubuntu

CVE-2009-3639

Priority

Description

The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2,
when the dNSNameRequired TLS option is enabled, does not properly handle a
'\0' character in a domain name in the Subject Alternative Name field of an
X.509 client certificate, which allows remote attackers to bypass intended
client-hostname restrictions via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3639

Bugs

https://bugzilla.redhat.com/show_bug.cgi?id=530719
http://bugs.proftpd.org/show_bug.cgi?id=3275

Notes

Package

Source: proftpd-dfsg (LP Ubuntu Debian)

Upstream:	released (1.3.2b-1)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (1.3.2c-1)

Patches:

More Information

Mitre
NVD
Launchpad
Debian

Updated: 2022-02-10 23:39:01 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)