Fedora Core 2: FEDORA-2004-130 Critical: Neon Heap Overflow Risk

neon is an HTTP and WebDAV client library, with a C interface;

providing a high-level interface to HTTP and WebDAV methods along

with a low-level interface for HTTP request handling. neon

supports persistent connections, proxy servers, basic, digest and

Kerberos authentication, and has complete SSL support.

neon is an HTTP and WebDAV client library, with a C interface;

providing a high-level interface to HTTP and WebDAV methods along

with a low-level interface for HTTP request handling. neon

supports persistent connections, proxy servers, basic, digest and

Kerberos authentication, and has complete SSL support.

Stefan Esser discovered a flaw in the neon library which allows a heap buffer overflow in a date parsing routine. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using a neon-based application which uses the date parsing routines, such as cadaver.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0398 to this issue. This update includes packages with a patch for this issue.

* Sun May 16 2004 Joe Orton <jorton@redhat.com> 0.24.5-2.2

- rebuild for FC2 update

* Sun May 16 2004 Joe Orton <jorton@redhat.com> 0.24.5-2.1

- add security fix for CVE CAN-2004-0398

This update can be downloaded from:

435cce4188891f20707b16615c893413 SRPMS/neon-0.24.5-2.2.src.rpm 6dece9ed94cbf68834f7d84b6868f4d9 i386/neon-0.24.5-2.2.i386.rpm d307e0e58a179d12b1c40c840279d6c9 i386/neon-devel-0.24.5-2.2.i386.rpm 4d4b66a4a49c82ed57ce4c00a2b0cebc i386/debug/ne...