thr3ads.net - Secure testing team - [Secure-testing-team] Bug#539895: CVE-2009-2409: spoof certificates by using MD2 design flaws [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Aug-04 09:59 UTC

[Secure-testing-team] Bug#539895: CVE-2009-2409: spoof certificates by using MD2 design flaws

Package: nss
Version: 3.12.0-6
Severity: important
Tags: security lenny

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.

CVE-2009-2409[0]:
| The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
| and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
| MD2 with X.509 certificates, which might allow remote attackers to
| spoof certificates by using MD2 design flaws to generate a hash
| collision in less than brute-force time.  NOTE: the scope of this
| issue is currently limited because the amount of computation required
| is still large.


The NSS library since version 3.12.3 has disabled MD2 by default, so only
the lenny version is affected.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
    http://security-tracker.debian.net/tracker/CVE-2009-2409


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp4BpYACgkQNxpp46476ap2EQCfcTQr+2RFdTqKMG0J1dBvCKqY
ddgAn14HPxWzZ6a9Ubsk5f3TKQ/k9zTD
=jhHJ
-----END PGP SIGNATURE-----

Secure testing team - Aug 2009 - Bug#539895: CVE-2009-2409: spoof certificates by using MD2 design flaws

[Secure-testing-team] Bug#539895: CVE-2009-2409: spoof certificates by using MD2 design flaws