CVE-2009-2408

Published: 30 July 2009

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

Priority

Status

Package	Release	Status
nss Launchpad, Ubuntu, Debian	dapper	Does not exist
	hardy	Released (3.12.3.1-0ubuntu0.8.04.1)
	intrepid	Released (3.12.3.1-0ubuntu0.8.10.1)
	jaunty	Released (3.12.3.1-0ubuntu0.9.04.1)
	upstream	Released (3.12.3.1)
openssl Launchpad, Ubuntu, Debian	dapper	Not vulnerable
	hardy	Not vulnerable
	intrepid	Not vulnerable
	jaunty	Not vulnerable
	upstream	Not vulnerable
xulrunner Launchpad, Ubuntu, Debian	dapper	Does not exist
	hardy	Not vulnerable
	intrepid	Not vulnerable
	jaunty	Not vulnerable
	upstream	Needs triage
xulrunner-1.9 Launchpad, Ubuntu, Debian	dapper	Does not exist
	hardy	Not vulnerable
	intrepid	Not vulnerable
	jaunty	Not vulnerable
	upstream	Needs triage
xulrunner-1.9.1 Launchpad, Ubuntu, Debian	dapper	Does not exist
	hardy	Does not exist
	intrepid	Does not exist
	jaunty	Not vulnerable
	upstream	Needs triage

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2009-2408

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading