[Pkg-openssl-devel] Bug#539899: Bug#539899: CVE-2009-2409: spoof certificates by using MD2 design flaws
kurt at roeckx.be
Tue Aug 11 21:26:42 UTC 2009
On Sun, Aug 09, 2009 at 09:24:31PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Aug 05, 2009 at 03:10:04PM +0200, Kurt Roeckx wrote:
> > On Tue, Aug 04, 2009 at 12:13:36PM +0200, Giuseppe Iuculano wrote:
> > > Hi,
> > > the following CVE (Common Vulnerabilities & Exposures) id was
> > > published for openssl.
> > >
> > > CVE-2009-2409:
> > > | The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
> > > | and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
> > > | MD2 with X.509 certificates, which might allow remote attackers to
> > > | spoof certificates by using MD2 design flaws to generate a hash
> > > | collision in less than brute-force time. NOTE: the scope of this
> > > | issue is currently limited because the amount of computation required
> > > | is still large.
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE id in your changelog entry.
> > >
> > > For further information see:
> > >
> > >  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
> > > http://security-tracker.debian.net/tracker/CVE-2009-2409
> > > Patch: http://cvs.openssl.org/chngview?cn=18381
> > Should I prepare packages for stable and oldstable to fix
> > this?
> Please go ahead. Please also the previous set of issues, which
> we failed to properly communicate with you. Sorry about that!
> I'll take care of the update.
More information about the Pkg-openssl-devel