Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280227 (CVE-2009-2409) - Disable MD2 digest algorithm (CVE-2009-2409)
Summary: Disable MD2 digest algorithm (CVE-2009-2409)
Status: RESOLVED FIXED
Alias: CVE-2009-2409
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4
Keywords: Tracker
Depends on: 280591 280595
Blocks:
  Show dependency tree
 
Reported: 2009-08-03 22:09 UTC by Stefan Behte (RETIRED)
Modified: 2014-06-01 16:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-08-03 22:09:13 UTC 
CVE-2009-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2409):
  The NSS library before 3.12.3, as used in Firefox; GnuTLS before
  2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products
  support MD2 with X.509 certificates, which might allow remote
  attackers to spoof certificates by using MD2 design flaws to generate
  a hash collision in less than brute-force time.  NOTE: the scope of
  this issue is currently limited because the amount of computation
  required is still large.
Comment 1 Jory A. Pratt gentoo-dev 2009-08-04 03:26:50 UTC 
Mozilla team I recommend a stabilization of nspr-4.8 with nss-3.12.3, the thunderbird bug on memory is unconfirmed in my opinion, and security takes presidency.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:27:47 UTC 
Multi-package bugs with several maintainers make no sense. Please use single bugs and a tracker if appropriate.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:58:23 UTC 
gnutls 2.6.6 is stable and all versions before 2.6.5 are affected by another GLSA, so this is not an issue.
Comment 4 Sergey Ilinykh 2010-08-05 10:55:20 UTC 
http://bugs.gentoo.org/show_bug.cgi?id=331299
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-01 16:59:45 UTC 
The NSS library before 3.12.3. 3.12.3-r1 was stabilized in bug 280839 closed Sept 2009. 
GnuTLS before  2.6.4 and 2.7.4; 2.6.4 was stabilized in bug 264392 and 2.7.6 was stabilized in bug 259018
OpenSSL 0.9.8 through 0.9.8k; 0.9.8l was stabilized in bug 292022 

This is a tracker for multiple packages that have been handled individually, as no remaining deps exists I'm closing this.