Unrated severityNVD Advisory· Published Oct 28, 2009· Updated Apr 23, 2026
CVE-2009-3639
CVE-2009-3639
Description
The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Affected products
7cpe:2.3:a:proftpd:proftpd:1.3.1:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:proftpd:proftpd:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:rc4:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:*:a:*:*:*:*:*:*range: <=1.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- www.securityfocus.com/bid/36804nvdPatch
- bugzilla.redhat.com/show_bug.cginvdPatch
- secunia.com/advisories/37131nvdVendor Advisory
- bugs.proftpd.org/show_bug.cginvd
- marc.infonvd
- marc.infonvd
- secunia.com/advisories/37219nvd
- www.debian.org/security/2009/dsa-1925nvd
- www.mandriva.com/security/advisoriesnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/53936nvd
- www.redhat.com/archives/fedora-package-announce/2009-November/msg00642.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2009-November/msg00649.htmlnvd
News mentions
0No linked articles in our index yet.