Bug#539934: Forgot to report also CVE-2009-2408
Giuseppe Iuculano
giuseppe at iuculano.it
Tue Aug 4 15:12:42 UTC 2009
retitle 539934 CVE-2009-2408, CVE-2009-2404, NSS multiple vulnerabilities
fixed 539934 3.12.3-1
thanks
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.
CVE-2009-2408[0]:
| Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly
| handle a '\0' character in a domain name in the subject's Common Name
| (CN) field of an X.509 certificate, which allows man-in-the-middle
| attackers to spoof arbitrary SSL servers via a crafted certificate
| issued by a legitimate Certification Authority.
This issue is fixed in upstream NSS 3.12.3, so only the lenny version is vulnerable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://security-tracker.debian.net/tracker/CVE-2009-2408
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20090804/757ee2a3/attachment.pgp>
More information about the pkg-mozilla-maintainers
mailing list