CVE-2009-2409

Publication date 30 July 2009

Last updated 24 July 2024

Ubuntu priority

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
gnutls12	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	9.10 karmic	Not in release
	9.04 jaunty	Not in release
	8.10 intrepid	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Fixed 1.2.9-2ubuntu1.5
gnutls13	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	9.10 karmic	Not in release
	9.04 jaunty	Not in release
	8.10 intrepid	Not in release
	8.04 LTS hardy	Fixed 2.0.4-1ubuntu2.5
	6.06 LTS dapper	Not in release
gnutls26	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	9.10 karmic	Not affected
	9.04 jaunty	Fixed 2.4.2-5
	8.10 intrepid	Fixed 2.4.1-1ubuntu0.3
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
nss	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	9.10 karmic	Fixed 3.12.3.1-0ubuntu1
	9.04 jaunty	Fixed 3.12.3.1-0ubuntu0.9.04.1
	8.10 intrepid	Fixed 3.12.3.1-0ubuntu0.8.10.1
	8.04 LTS hardy	Fixed 3.12.3.1-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release
openjdk-6	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	9.10 karmic	Fixed 6b16-1.6.1-3ubuntu1
	9.04 jaunty	Fixed 6b14-1.4.1-0ubuntu12
	8.10 intrepid	Fixed 6b12-0ubuntu6.6
	8.04 LTS hardy	Fixed 6b18-1.8.2-4ubuntu1~8.04.1
	6.06 LTS dapper	Not in release
openssl	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	9.10 karmic	Fixed 0.9.8g-16ubuntu3
	9.04 jaunty	Fixed 0.9.8g-15ubuntu3.3
	8.10 intrepid	Fixed 0.9.8g-10.1ubuntu2.5
	8.04 LTS hardy	Fixed 0.9.8g-4ubuntu3.8
	6.06 LTS dapper	Fixed 0.9.8a-7ubuntu0.10

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
openssl	Upstream: http://marc.info/?l=openssl-cvs&m=124508133203041&w=2 Upstream: http://marc.info/?l=openssl-cvs&m=124704528713852&w=2

References

Related Ubuntu Security Notices (USN)

USN-830-1
OpenSSL vulnerability
14 September 2009

USN-810-1
NSS vulnerabilities
4 August 2009

USN-859-1
OpenJDK vulnerabilities
12 November 2009

USN-809-1
GnuTLS vulnerabilities
19 August 2009

Other references

https://www.cve.org/CVERecord?id=CVE-2009-2409