Vulnerabilities > CVE-2009-2473 - Resource Management Errors vulnerability in Webdav Neon 0.28.6
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Expat 2.0.1 UTF-8 Character XML Parsing Remote Denial of Service Vulnerability. CVE-2009-2473. Dos exploit for linux platform |
| id | EDB-ID:10206 |
| last seen | 2016-02-01 |
| modified | 2009-11-12 |
| published | 2009-11-12 |
| reporter | Peter Valchev |
| source | https://www.exploit-db.com/download/10206/ |
| title | Expat 2.0.1 UTF-8 Character XML Parsing Remote Denial of Service Vulnerability |
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1452.NASL description From Red Hat Security Advisory 2009:1452 : Updated neon packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. neon is an HTTP and WebDAV client library, with a C interface. It provides a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support. It was discovered that neon is affected by the previously published last seen 2020-06-01 modified 2020-06-02 plugin id 67927 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67927 title Oracle Linux 4 / 5 : neon (ELSA-2009-1452) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBNEON-DEVEL-091012.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers (CVE-2009-2408). Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory (CVE-2009-2473). last seen 2020-06-01 modified 2020-06-02 plugin id 42315 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42315 title openSUSE Security Update : libneon-devel (libneon-devel-1377) NASL family MacOS X Local Security Checks NASL id MACOSX_10_6_5.NASL description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5. Mac OS X 10.6.5 contains security fixes for the following products : - AFP Server - Apache mod_perl - Apache - AppKit - ATS - CFNetwork - CoreGraphics - CoreText - CUPS - Directory Services - diskdev_cmds - Disk Images - Flash Player plug-in - gzip - Image Capture - ImageIO - Image RAW - Kernel - MySQL - neon - Networking - OpenLDAP - OpenSSL - Password Server - PHP - Printing - python - QuickLook - QuickTime - Safari RSS - Time Machine - Wiki Server - X11 - xar last seen 2020-06-01 modified 2020-06-02 plugin id 50548 published 2010-11-10 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50548 title Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-221.NASL description Multiple vulnerabilities has been found and corrected in libneon0.27 : neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564 (CVE-2009-2473). neon before 0.28.6, when OpenSSL is used, does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 40764 published 2009-08-25 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40764 title Mandriva Linux Security Advisory : libneon0.27 (MDVSA-2009:221) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0131.NASL description Updated gnome-vfs2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The gnome-vfs2 packages provide the GNOME Virtual File System, which is the foundation of the Nautilus file manager. neon is an HTTP and WebDAV client library embedded in the gnome-vfs2 packages. A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory. (CVE-2009-2473) This update also fixes the following bugs : * When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non-ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly. (BZ#580855) * In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem. (BZ#586015) * Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly. (BZ#621394) * Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem. (BZ#772307) * Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive. (BZ#822817) All gnome-vfs2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 63576 published 2013-01-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63576 title CentOS 5 : gnome-vfs2 (CESA-2013:0131) NASL family Scientific Linux Local Security Checks NASL id SL_20130108_GNOME_VFS2_ON_SL5_X.NASL description A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory. (CVE-2009-2473) This update also fixes the following bugs : - When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non- ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly. - In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem. - Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly. - Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem. - Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive. last seen 2020-03-18 modified 2013-01-17 plugin id 63594 published 2013-01-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63594 title Scientific Linux Security Update : gnome-vfs2 on SL5.x i386/x86_64 (20130108) NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBNEON-DEVEL-091012.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers (CVE-2009-2408). Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory (CVE-2009-2473). last seen 2020-06-01 modified 2020-06-02 plugin id 42317 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42317 title openSUSE Security Update : libneon-devel (libneon-devel-1377) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0131.NASL description Updated gnome-vfs2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The gnome-vfs2 packages provide the GNOME Virtual File System, which is the foundation of the Nautilus file manager. neon is an HTTP and WebDAV client library embedded in the gnome-vfs2 packages. A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory. (CVE-2009-2473) This update also fixes the following bugs : * When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non-ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly. (BZ#580855) * In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem. (BZ#586015) * Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly. (BZ#621394) * Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem. (BZ#772307) * Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive. (BZ#822817) All gnome-vfs2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 63412 published 2013-01-08 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63412 title RHEL 5 : gnome-vfs2 (RHSA-2013:0131) NASL family SuSE Local Security Checks NASL id SUSE_NEON-6548.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers. (CVE-2009-2408) Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory. (CVE-2009-2473) last seen 2020-06-01 modified 2020-06-02 plugin id 42303 published 2009-10-29 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42303 title SuSE 10 Security Update : neon (ZYPP Patch Number 6548) NASL family Fedora Local Security Checks NASL id FEDORA_2009-8815.NASL description This update includes the latest release of neon, version 0.28.6. This fixes two security issues: * the last seen 2020-06-01 modified 2020-06-02 plugin id 40683 published 2009-08-24 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40683 title Fedora 11 : neon-0.28.6-1.fc11 (2009-8815) NASL family Scientific Linux Local Security Checks NASL id SL_20090921_NEON_ON_SL4_X.NASL description CVE-2009-2473 neon, gnome-vfs2 embedded neon: billion laughs DoS attack CVE-2009-2474 neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields It was discovered that neon is affected by the previously published last seen 2020-06-01 modified 2020-06-02 plugin id 60667 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60667 title Scientific Linux Security Update : neon on SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_11_LIBNEON-DEVEL-091012.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers. (CVE-2009-2408) Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory. (CVE-2009-2473) last seen 2020-06-01 modified 2020-06-02 plugin id 42301 published 2009-10-29 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42301 title SuSE 11 Security Update : libneon (SAT Patch Number 1376) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1452.NASL description Updated neon packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. neon is an HTTP and WebDAV client library, with a C interface. It provides a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support. It was discovered that neon is affected by the previously published last seen 2020-06-01 modified 2020-06-02 plugin id 43792 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43792 title CentOS 4 / 5 : neon (CESA-2009:1452) NASL family SuSE Local Security Checks NASL id SUSE_LIBNEON-DEVEL-6550.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers (CVE-2009-2408). Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory (CVE-2009-2473). last seen 2020-06-01 modified 2020-06-02 plugin id 42324 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42324 title openSUSE 10 Security Update : libneon-devel (libneon-devel-6550) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0131.NASL description From Red Hat Security Advisory 2013:0131 : Updated gnome-vfs2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The gnome-vfs2 packages provide the GNOME Virtual File System, which is the foundation of the Nautilus file manager. neon is an HTTP and WebDAV client library embedded in the gnome-vfs2 packages. A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory. (CVE-2009-2473) This update also fixes the following bugs : * When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non-ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly. (BZ#580855) * In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem. (BZ#586015) * Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly. (BZ#621394) * Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem. (BZ#772307) * Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive. (BZ#822817) All gnome-vfs2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 68702 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68702 title Oracle Linux 5 : gnome-vfs2 (ELSA-2013-0131) NASL family SuSE Local Security Checks NASL id SUSE_NEON-6549.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers. (CVE-2009-2408) Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory. (CVE-2009-2473) last seen 2020-06-01 modified 2020-06-02 plugin id 49905 published 2010-10-11 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49905 title SuSE 10 Security Update : neon (ZYPP Patch Number 6549) NASL family Fedora Local Security Checks NASL id FEDORA_2009-8794.NASL description This update includes the latest release of neon, version 0.28.6. This fixes two security issues: * the last seen 2020-06-01 modified 2020-06-02 plugin id 40677 published 2009-08-24 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40677 title Fedora 10 : neon-0.28.6-1.fc10 (2009-8794) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1452.NASL description Updated neon packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. neon is an HTTP and WebDAV client library, with a C interface. It provides a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support. It was discovered that neon is affected by the previously published last seen 2020-06-01 modified 2020-06-02 plugin id 41031 published 2009-09-22 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/41031 title RHEL 4 / 5 : neon (RHSA-2009:1452)
Oval
| accepted | 2013-04-29T04:19:34.560-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:9461 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
| title | neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 36080 CVE(CAN) ID: CVE-2009-2473 neon是一款HTTP和WebDAV客户端库。 如果使用了expat库,neon在实体扩展期间没有正确的检测递归。当客户端应用访问恶意的DAV服务器或使用XML解析接口(ne_xml*)解析XML文档的时候,包含有大量嵌套实体引用的特制XML文档就可能耗尽大量内存和CPU资源。 Neon Client Library < 0.28.6 厂商补丁: Neon ---- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html |
| id | SSV:12116 |
| last seen | 2017-11-19 |
| modified | 2009-08-26 |
| published | 2009-08-26 |
| reporter | Root |
| title | Neon XML文档解析拒绝服务漏洞 |
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-09-22 |
| organization | Red Hat |
| statement | Updated neon packages for Red Hat Enterprise Linux 4 and 5 were released via: https://rhn.redhat.com/errata/RHSA-2009-1452.html Embedded copy of the neon library is included in the versions of gnome-vfs2 packages as shipped with Red Hat Enteprise Linux 4 and Red Hat Enteprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact on gnome-vfs2, future updates may address this flaw. |
References
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html
- http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
- http://rhn.redhat.com/errata/RHSA-2013-0131.html
- http://secunia.com/advisories/36371
- http://support.apple.com/kb/HT4435
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:221
- http://www.vupen.com/english/advisories/2009/2341
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52633
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9461
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html