[Pkg-openssl-devel] Bug#539899: Bug#539899: CVE-2009-2409: spoof certificates by using MD2 design flaws
Kurt Roeckx
kurt at roeckx.be
Wed Aug 5 13:10:04 UTC 2009
On Tue, Aug 04, 2009 at 12:13:36PM +0200, Giuseppe Iuculano wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssl.
>
> CVE-2009-2409[0]:
> | The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
> | and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
> | MD2 with X.509 certificates, which might allow remote attackers to
> | spoof certificates by using MD2 design flaws to generate a hash
> | collision in less than brute-force time. NOTE: the scope of this
> | issue is currently limited because the amount of computation required
> | is still large.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
> http://security-tracker.debian.net/tracker/CVE-2009-2409
> Patch: http://cvs.openssl.org/chngview?cn=18381
Looking at security-tracker, it seem this is also tracked as
CVE-2009-2408?
Please also add openssl097 to the list of affected packages.
Should I prepare packages for stable and oldstable to fix
this?
Kurt
More information about the Pkg-openssl-devel
mailing list