| Summary: | <dev-libs/openssl-0.9.8l-r2 Disable MD2 to prevent certificate spoofing (CVE-2009-2409) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | base-system |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409 | ||
| Whiteboard: | A4 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 292022, 294615 | ||
| Bug Blocks: | 280227 | ||
|
Description
Robert Buchholz (RETIRED)
2009-08-06 19:54:27 UTC
Mark Cox wrote: So for upstream OpenSSL we have disabled MD2 support completely. This was done in two stages; the first was a patch in June 2009 (http://marc.info/?l=openssl-cvs&m=124508133203041&w=2) that removed the check of a trusted root self-signed certificate. Then MD2 was disabled in July, (http://cvs.openssl.org/chngview?cn=18381). Although there have not yet been any upstream releases containing these fixes, future OpenSSL 0.9.8 (after 0.9.8k), and OpenSSL 1.0.0 releases will contain this fix. openssl-0.9.8l is in the tree now Stabilization via bug 292022. CVE-2009-2409 wasnt in the 0.9.8l release, so i added it to 0.9.8l-r1 GLSA 200912-01 |
