[Pkg-openssl-devel] Bug#539899: Bug#539899: CVE-2009-2409: spoof certificates by using MD2 design flaws

Kurt Roeckx kurt at roeckx.be
Tue Aug 11 21:26:42 UTC 2009


On Sun, Aug 09, 2009 at 09:24:31PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Aug 05, 2009 at 03:10:04PM +0200, Kurt Roeckx wrote:
> > On Tue, Aug 04, 2009 at 12:13:36PM +0200, Giuseppe Iuculano wrote:
> > > Hi,
> > > the following CVE (Common Vulnerabilities & Exposures) id was
> > > published for openssl.
> > > 
> > > CVE-2009-2409[0]:
> > > | The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
> > > | and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
> > > | MD2 with X.509 certificates, which might allow remote attackers to
> > > | spoof certificates by using MD2 design flaws to generate a hash
> > > | collision in less than brute-force time.  NOTE: the scope of this
> > > | issue is currently limited because the amount of computation required
> > > | is still large.
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE id in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
> > >     http://security-tracker.debian.net/tracker/CVE-2009-2409
> > >     Patch: http://cvs.openssl.org/chngview?cn=18381
> > 
> > Should I prepare packages for stable and oldstable to fix
> > this?
> 
> Please go ahead. Please also the previous set of issues, which
> we failed to properly communicate with you. Sorry about that!
> 
> I'll take care of the update.

http://people.debian.org/~kroeckx/openssl/ has:
lenny/openssl_0.9.8g-15+lenny4_amd64.changes
etch/openssl_0.9.8c-4etch8_amd64.changes
etch/openssl097_0.9.7k-3.1etch4_amd64.changes


Kurt






More information about the Pkg-openssl-devel mailing list