[Pkg-openssl-devel] Bug#539899: Bug#539899: CVE-2009-2409: spoof certificates by using MD2 design flaws
Moritz Muehlenhoff
jmm at inutil.org
Sun Aug 9 19:24:31 UTC 2009
On Wed, Aug 05, 2009 at 03:10:04PM +0200, Kurt Roeckx wrote:
> On Tue, Aug 04, 2009 at 12:13:36PM +0200, Giuseppe Iuculano wrote:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for openssl.
> >
> > CVE-2009-2409[0]:
> > | The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
> > | and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
> > | MD2 with X.509 certificates, which might allow remote attackers to
> > | spoof certificates by using MD2 design flaws to generate a hash
> > | collision in less than brute-force time. NOTE: the scope of this
> > | issue is currently limited because the amount of computation required
> > | is still large.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
> > http://security-tracker.debian.net/tracker/CVE-2009-2409
> > Patch: http://cvs.openssl.org/chngview?cn=18381
>
> Looking at security-tracker, it seem this is also tracked as
> CVE-2009-2408?
>
> Please also add openssl097 to the list of affected packages.
>
> Should I prepare packages for stable and oldstable to fix
> this?
Please go ahead. Please also the previous set of issues, which
we failed to properly communicate with you. Sorry about that!
I'll take care of the update.
Thanks,
Moritz
More information about the Pkg-openssl-devel
mailing list