CVE-2009-2408
Published: 30 July 2009
Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.
Priority
Status
Package | Release | Status |
---|---|---|
nss Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Released
(3.12.3.1-0ubuntu0.8.04.1)
|
|
intrepid |
Released
(3.12.3.1-0ubuntu0.8.10.1)
|
|
jaunty |
Released
(3.12.3.1-0ubuntu0.9.04.1)
|
|
upstream |
Released
(3.12.3.1)
|
|
openssl Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
|
hardy |
Not vulnerable
|
|
intrepid |
Not vulnerable
|
|
jaunty |
Not vulnerable
|
|
upstream |
Not vulnerable
|
|
xulrunner Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Not vulnerable
|
|
intrepid |
Not vulnerable
|
|
jaunty |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xulrunner-1.9 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Not vulnerable
|
|
intrepid |
Not vulnerable
|
|
jaunty |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xulrunner-1.9.1 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Not vulnerable
|
|
upstream |
Needs triage
|