[Pkg-openssl-devel] Bug#539899: CVE-2009-2409: spoof certificates by using MD2 design flaws
Giuseppe Iuculano
giuseppe at iuculano.it
Tue Aug 4 10:13:36 UTC 2009
Package: openssl
Severity: important
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2009-2409[0]:
| The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
| and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
| MD2 with X.509 certificates, which might allow remote attackers to
| spoof certificates by using MD2 design flaws to generate a hash
| collision in less than brute-force time. NOTE: the scope of this
| issue is currently limited because the amount of computation required
| is still large.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://security-tracker.debian.net/tracker/CVE-2009-2409
Patch: http://cvs.openssl.org/chngview?cn=18381
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp4Cc0ACgkQNxpp46476ar5xwCcCZpTP5SD4GYle1w/WBBDJ3v1
PSAAmwU4C+BHnO1HbIgK5m3MKm55D8jO
=9WpU
-----END PGP SIGNATURE-----
More information about the Pkg-openssl-devel
mailing list