CVE-2009-3639

Name of the Vulnerable Software and Affected Versions ProFTPD versions prior to 1.3.2b ProFTPD version 1.3.3 before 1.3.3rc2

Description The issue arises from improper handling of a '0' character in a domain name within the Subject Alternative Name field of an X.509 client certificate when the dNSNameRequired TLS option is enabled. This allows remote attackers to bypass intended client-hostname restrictions by using a crafted certificate issued by a legitimate Certification Authority.

Recommendations For ProFTPD versions prior to 1.3.2b, update to version 1.3.2b or later. For ProFTPD version 1.3.3 before 1.3.3rc2, update to version 1.3.3rc2 or later.