thr3ads.net - Secure testing team - [Secure-testing-team] Bug#539934: CVE-2009-2404: Heap-based buffer overflow in a regular-expression parser [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Aug-04 14:56 UTC

[Secure-testing-team] Bug#539934: CVE-2009-2404: Heap-based buffer overflow in a regular-expression parser

Package: nss
Version: 3.12.0-6
Severity: serious
Tags: security lenny

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nss.

CVE-2009-2404[0]:
| Heap-based buffer overflow in a regular-expression parser in Mozilla
| Network Security Services (NSS) before 3.12.3, as used in Firefox,
| Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger
| (AIM), allows remote SSL servers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a long
| domain name in the subject''s Common Name (CN) field of an X.509
| certificate, related to the cert_TestHostName function.

This issue is fixed in upstream NSS 3.12.3, so only the lenny version is
vulnerable.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404
    http://security-tracker.debian.net/tracker/CVE-2009-2404


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp4TDMACgkQNxpp46476aqh0wCghZbP9Z5/ml4Ka+xwixNh02mU
sk0An3p5CTaTIpcIOyxtByn0cWpvY8m/
=rCbx
-----END PGP SIGNATURE-----

Secure testing team - Aug 2009 - Bug#539934: CVE-2009-2404: Heap-based buffer overflow in a regular-expression parser

[Secure-testing-team] Bug#539934: CVE-2009-2404: Heap-based buffer overflow in a regular-expression parser