Bug#539895: CVE-2009-2409: spoof certificates by using MD2 design flaws
giuseppe at iuculano.it
Tue Aug 4 09:59:53 UTC 2009
Tags: security lenny
-----BEGIN PGP SIGNED MESSAGE-----
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.
| The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
| and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
| MD2 with X.509 certificates, which might allow remote attackers to
| spoof certificates by using MD2 design flaws to generate a hash
| collision in less than brute-force time. NOTE: the scope of this
| issue is currently limited because the amount of computation required
| is still large.
The NSS library since version 3.12.3 has disabled MD2 by default, so only
the lenny version is affected.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the pkg-mozilla-maintainers