libneon-devel-0.30.1-1.11 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10496-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libneon-devel-0.30.1-1.11 on GA media These are all security issues fixed in the libneon-devel-0.30.1-1.11 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10496 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-2473/ SUSE CVE CVE-2009-2473 page https://www.suse.com/security/cve/CVE-2009-2474/ SUSE CVE CVE-2009-2474 page openSUSE Tumbleweed libneon-devel-0.30.1-1.11 libneon27-0.30.1-1.11 libneon27-32bit-0.30.1-1.11 libneon-devel-0.30.1-1.11 as a component of openSUSE Tumbleweed libneon27-0.30.1-1.11 as a component of openSUSE Tumbleweed libneon27-32bit-0.30.1-1.11 as a component of openSUSE Tumbleweed neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. CVE-2009-2473 openSUSE Tumbleweed:libneon-devel-0.30.1-1.11 openSUSE Tumbleweed:libneon27-0.30.1-1.11 openSUSE Tumbleweed:libneon27-32bit-0.30.1-1.11 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2473.html CVE-2009-2473 https://bugzilla.suse.com/528370 SUSE Bug 528370 https://bugzilla.suse.com/532345 SUSE Bug 532345 neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVE-2009-2474 openSUSE Tumbleweed:libneon-devel-0.30.1-1.11 openSUSE Tumbleweed:libneon27-0.30.1-1.11 openSUSE Tumbleweed:libneon27-32bit-0.30.1-1.11 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2474.html CVE-2009-2474 https://bugzilla.suse.com/528370 SUSE Bug 528370