Back to search
CVE-2009-3639
Published: Oct 28, 2009
Modified: Aug 7, 2024
PUBLISHED
Description
The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[oss-security] 20091023 proftpd - mod_tls - Improper SSL/TLS certificate subjectAltName verification
mailing-list
x_refsource_MLIST
FEDORA-2009-11666
vendor-advisory
x_refsource_FEDORA
37219
third-party-advisory
x_refsource_SECUNIA
FEDORA-2009-11649
vendor-advisory
x_refsource_FEDORA
DSA-1925
vendor-advisory
x_refsource_DEBIAN
http://bugs.proftpd.org/show_bug.cgi?id=3275
x_refsource_CONFIRM
[oss-security] 20091023 Re: proftpd - mod_tls - Improper SSL/TLS certificate subjectAltName verification
mailing-list
x_refsource_MLIST
36804
vdb-entry
x_refsource_BID
proftpd-modtls-security-bypass(53936)
vdb-entry
x_refsource_XF
37131
third-party-advisory
x_refsource_SECUNIA
MDVSA-2009:288
vendor-advisory
x_refsource_MANDRIVA
https://bugzilla.redhat.com/show_bug.cgi?id=530719
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now