FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fetchmail -- improper SSL certificate subject verification

Affected packages
fetchmail < 6.3.11


VuXML ID 5179d85c-8683-11de-91b9-0022157515b2
Discovery 2009-08-06
Entry 2009-08-11
Modified 2009-08-13

Matthias Andree reports:

Moxie Marlinspike demonstrated in July 2009 that some CAs would sign certificates that contain embedded NUL characters in the Common Name or subjectAltName fields of ITU-T X.509 certificates.

Applications that would treat such X.509 strings as NUL-terminated C strings (rather than strings that contain an explicit length field) would only check the part up to and excluding the NUL character, so that certificate names such as www.good.example\ would be mistaken as a certificate name for www.good.example. fetchmail also had this design and implementation flaw.


CVE Name CVE-2009-2666