This release fixes security issue CVE-2007-0157, thanks to Laszlo Boszormenyi: an array index error in the URI parser in neon versions 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index.
Download: http://www.webdav.org/neon/neon-0.26.3.tar.gz Signature: http://www.webdav.org/neon/neon-0.26.3.tar.gz.asc SHA1: 8f3191cc6fe0aee5323dac58b03362cddc5d80d0 neon-0.26.3.tar.gz MD5: 6e52cd9c03e372026d6eccbfb80f09ef neon-0.26.3.tar.gz Changes in release 0.26.3: * Fix buffer under-read in URI parser (Laszlo Boszormenyi, CVE-2007-0157) * Fix regression in handling of "attempt" argument passed to auth callbacks; ensure the value only increments for each invocation of the callback * Fix handling of "nextnonce" parameter in Digest authentication _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
