FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

neon format string vulnerabilities

Affected packages
neon < 0.24.5
tla < 1.2_1
sitecopy <= 0.13.4_1

Details

VuXML ID 84237895-8f39-11d8-8b29-0020ed76ef5a
Discovery 2004-04-14
Entry 2004-04-15
Modified 2004-06-25

Greuff reports that the neon WebDAV client library contains several format string bugs within error reporting code. A malicious server may exploit these bugs by sending specially crafted PROPFIND or PROPPATCH responses.

Although several applications include neon, such as cadaver and subversion, the FreeBSD Ports of these applications are not impacted. They are specifically configured to NOT use the included neon. Only packages listed as affected in this notice are believed to be impacted.

References

CVE Name CVE-2004-0179
URL http://secunia.com/advisories/11785
URL http://www.webdav.org/neon/