thr3ads.net - Secure testing team - [Secure-testing-team] Bug#539901: CVE-2009-2409: spoof certificates by using MD2 design flaws [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Aug-04 10:25 UTC

[Secure-testing-team] Bug#539901: CVE-2009-2409: spoof certificates by using MD2 design flaws

Package: gnutls26
Version: 2.4.2-6+lenny1
Severity: important
Tags: security patch lenny

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnutls26.

CVE-2009-2409[0]:
| The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
| and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
| MD2 with X.509 certificates, which might allow remote attackers to
| spoof certificates by using MD2 design flaws to generate a hash
| collision in less than brute-force time.  NOTE: the scope of this
| issue is currently limited because the amount of computation required
| is still large.

Since 2.6.4 and 2.7.4 MD2 hasn''t been allowed by default in a chain, so
only
the lenny version is affected.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
    http://security-tracker.debian.net/tracker/CVE-2009-2409


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp4DJMACgkQNxpp46476aremACffxyiPN5YkbSlk2KOxkhEu1lH
kkEAoJYwhbLbk6BnXub0d2mOguNf84b6
=M9fX
-----END PGP SIGNATURE-----

Secure testing team - Aug 2009 - Bug#539901: CVE-2009-2409: spoof certificates by using MD2 design flaws

[Secure-testing-team] Bug#539901: CVE-2009-2409: spoof certificates by using MD2 design flaws