Debian Bug report logs -
#539934
CVE-2009-2408, CVE-2009-2404, NSS multiple vulnerabilities
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Tue, 4 Aug 2009 15:03:02 UTC
Severity: serious
Tags: lenny, security
Found in version 3.12.0-6
Fixed in versions 3.12.3.1-0lenny1, 3.12.3-1
Done: Mike Hommey <mh@glandium.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#539934; Package nss.
(Tue, 04 Aug 2009 15:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Tue, 04 Aug 2009 15:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nss
Version: 3.12.0-6
Severity: serious
Tags: security lenny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.
CVE-2009-2404[0]:
| Heap-based buffer overflow in a regular-expression parser in Mozilla
| Network Security Services (NSS) before 3.12.3, as used in Firefox,
| Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger
| (AIM), allows remote SSL servers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a long
| domain name in the subject's Common Name (CN) field of an X.509
| certificate, related to the cert_TestHostName function.
This issue is fixed in upstream NSS 3.12.3, so only the lenny version is vulnerable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404
http://security-tracker.debian.net/tracker/CVE-2009-2404
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp4TDMACgkQNxpp46476aqh0wCghZbP9Z5/ml4Ka+xwixNh02mU
sk0An3p5CTaTIpcIOyxtByn0cWpvY8m/
=rCbx
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#539934; Package nss.
(Tue, 04 Aug 2009 15:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Tue, 04 Aug 2009 15:15:04 GMT) (full text, mbox, link).
Message #10 received at 539934@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 539934 CVE-2009-2408, CVE-2009-2404, NSS multiple vulnerabilities
fixed 539934 3.12.3-1
thanks
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.
CVE-2009-2408[0]:
| Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly
| handle a '\0' character in a domain name in the subject's Common Name
| (CN) field of an X.509 certificate, which allows man-in-the-middle
| attackers to spoof arbitrary SSL servers via a crafted certificate
| issued by a legitimate Certification Authority.
This issue is fixed in upstream NSS 3.12.3, so only the lenny version is vulnerable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://security-tracker.debian.net/tracker/CVE-2009-2408
[signature.asc (application/pgp-signature, attachment)]
Changed Bug title to 'CVE-2009-2408, CVE-2009-2404, NSS multiple vulnerabilities' from 'CVE-2009-2404: Heap-based buffer overflow in a regular-expression parser'
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Tue, 04 Aug 2009 15:15:05 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 3.12.3-1.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Tue, 04 Aug 2009 15:15:06 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 3.12.3.1-0lenny1.
Request was from Mike Hommey <glandium@debian.org>
to control@bugs.debian.org.
(Fri, 18 Dec 2009 12:15:12 GMT) (full text, mbox, link).
Reply sent
to Mike Hommey <mh@glandium.org>:
You have taken responsibility.
(Tue, 22 Dec 2009 10:18:20 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Tue, 22 Dec 2009 10:18:20 GMT) (full text, mbox, link).
Message #21 received at 539934-done@bugs.debian.org (full text, mbox, reply):
Version: 3.12.3-1
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 20 Jan 2010 07:31:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:15:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon