CVE-2009-2409

Published: 30 July 2009

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Priority

Medium

Status

Package Release Status
gnutls12
Launchpad, Ubuntu, Debian
Upstream Needs triage

gnutls13
Launchpad, Ubuntu, Debian
Upstream Needs triage

gnutls26
Launchpad, Ubuntu, Debian
Upstream Needs triage

nss
Launchpad, Ubuntu, Debian
Upstream Needs triage

openjdk-6
Launchpad, Ubuntu, Debian
Upstream
Released (6b17)
openssl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Upstream: http://marc.info/?l=openssl-cvs&m=124508133203041&w=2
Upstream: http://marc.info/?l=openssl-cvs&m=124704528713852&w=2