Bug#539895: CVE-2009-2409: spoof certificates by using MD2 design flaws
Giuseppe Iuculano
giuseppe at iuculano.it
Tue Aug 4 09:59:53 UTC 2009
Package: nss
Version: 3.12.0-6
Severity: important
Tags: security lenny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.
CVE-2009-2409[0]:
| The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
| and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
| MD2 with X.509 certificates, which might allow remote attackers to
| spoof certificates by using MD2 design flaws to generate a hash
| collision in less than brute-force time. NOTE: the scope of this
| issue is currently limited because the amount of computation required
| is still large.
The NSS library since version 3.12.3 has disabled MD2 by default, so only
the lenny version is affected.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://security-tracker.debian.net/tracker/CVE-2009-2409
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp4BpYACgkQNxpp46476ap2EQCfcTQr+2RFdTqKMG0J1dBvCKqY
ddgAn14HPxWzZ6a9Ubsk5f3TKQ/k9zTD
=jhHJ
-----END PGP SIGNATURE-----
More information about the pkg-mozilla-maintainers
mailing list