CVE-2009-2474

Name of the Vulnerable Software and Affected Versions neon versions prior to 0.28.6

Description The issue arises from improper handling of a '0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate when OpenSSL or GnuTLS is used. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Recommendations For versions prior to 0.28.6, update to version 0.28.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of SSL servers with certificates containing a '0' character in the domain name until a patch is available.