Debian Bug report logs -
#539895
CVE-2009-2409: spoof certificates by using MD2 design flaws
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Tue, 4 Aug 2009 10:04:02 UTC
Severity: important
Tags: lenny, security
Found in version 3.12.0-6
Fixed in versions 3.12.3.1-0lenny1, 3.12.3-1
Done: Mike Hommey <mh@glandium.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#539895; Package nss.
(Tue, 04 Aug 2009 10:04:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Tue, 04 Aug 2009 10:04:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nss
Version: 3.12.0-6
Severity: important
Tags: security lenny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.
CVE-2009-2409[0]:
| The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
| and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
| MD2 with X.509 certificates, which might allow remote attackers to
| spoof certificates by using MD2 design flaws to generate a hash
| collision in less than brute-force time. NOTE: the scope of this
| issue is currently limited because the amount of computation required
| is still large.
The NSS library since version 3.12.3 has disabled MD2 by default, so only
the lenny version is affected.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://security-tracker.debian.net/tracker/CVE-2009-2409
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp4BpYACgkQNxpp46476ap2EQCfcTQr+2RFdTqKMG0J1dBvCKqY
ddgAn14HPxWzZ6a9Ubsk5f3TKQ/k9zTD
=jhHJ
-----END PGP SIGNATURE-----
Bug Marked as fixed in versions 3.12.3-1.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Tue, 04 Aug 2009 10:15:12 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 3.12.3.1-0lenny1.
Request was from Mike Hommey <glandium@debian.org>
to control@bugs.debian.org.
(Fri, 18 Dec 2009 12:39:05 GMT) (full text, mbox, link).
Reply sent
to Mike Hommey <mh@glandium.org>:
You have taken responsibility.
(Tue, 22 Dec 2009 10:18:22 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Tue, 22 Dec 2009 10:18:22 GMT) (full text, mbox, link).
Message #14 received at 539895-done@bugs.debian.org (full text, mbox, reply):
Version: 3.12.3-1
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 20 Jan 2010 07:38:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:51:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon