CVE-2009-2408

Published: 30 July 2009

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

Priority

Status

Package	Release	Status
nss Launchpad, Ubuntu, Debian	Upstream	Released (3.12.3.1)






openssl Launchpad, Ubuntu, Debian	Upstream	Not vulnerable






xulrunner Launchpad, Ubuntu, Debian	Upstream	Needs triage






xulrunner-1.9 Launchpad, Ubuntu, Debian	Upstream	Needs triage






xulrunner-1.9.1 Launchpad, Ubuntu, Debian	Upstream	Needs triage

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2009-2408

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading