[Pkg-openssl-devel] Bug#539899: Bug#539899: CVE-2009-2409: spoof certificates by using MD2 design flaws

Mon Aug 17 16:56:39 UTC 2009

On Tue, Aug 11, 2009 at 11:26:42PM +0200, Kurt Roeckx wrote:
> On Sun, Aug 09, 2009 at 09:24:31PM +0200, Moritz Muehlenhoff wrote:
> > On Wed, Aug 05, 2009 at 03:10:04PM +0200, Kurt Roeckx wrote:
> > > On Tue, Aug 04, 2009 at 12:13:36PM +0200, Giuseppe Iuculano wrote:
> > > > Hi,
> > > > the following CVE (Common Vulnerabilities & Exposures) id was
> > > > published for openssl.
> > > > 
> > > > CVE-2009-2409[0]:
> > > > | The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
> > > > | and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
> > > > | MD2 with X.509 certificates, which might allow remote attackers to
> > > > | spoof certificates by using MD2 design flaws to generate a hash
> > > > | collision in less than brute-force time.  NOTE: the scope of this
> > > > | issue is currently limited because the amount of computation required
> > > > | is still large.
> > > > 
> > > > If you fix the vulnerability please also make sure to include the
> > > > CVE id in your changelog entry.
> > > > 
> > > > For further information see:
> > > > 
> > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
> > > >     http://security-tracker.debian.net/tracker/CVE-2009-2409
> > > >     Patch: http://cvs.openssl.org/chngview?cn=18381
> > > 
> > > Should I prepare packages for stable and oldstable to fix
> > > this?
> > 
> > Please go ahead. Please also the previous set of issues, which
> > we failed to properly communicate with you. Sorry about that!
> > 
> > I'll take care of the update.
> 
> http://people.debian.org/~kroeckx/openssl/ has:
> lenny/openssl_0.9.8g-15+lenny4_amd64.changes
> etch/openssl_0.9.8c-4etch8_amd64.changes
> etch/openssl097_0.9.7k-3.1etch4_amd64.changes

I've been to HAR 2009 and had no access to my Debian development system.
Updates are building now.

Thanks,
        Moritz