Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 280595

Summary: <dev-libs/nss-3.12.3-r1 Disable MD2 digest algorithm (CVE-2009-2409)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mozilla
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409
Whiteboard: A4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 280837, 280839    
Bug Blocks: 280227    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:59:07 UTC 
+++ This bug was initially created as a clone of Bug #280227 +++

CVE-2009-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2409):
  The NSS library before 3.12.3, as used in Firefox; GnuTLS before
  2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products
  support MD2 with X.509 certificates, which might allow remote
  attackers to spoof certificates by using MD2 design flaws to generate
  a hash collision in less than brute-force time.  NOTE: the scope of
  this issue is currently limited because the amount of computation
  required is still large.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:59:50 UTC 
Mark Cox wrote:
The NSS library since version 3.12.3 (April 2009) has disabled MD2 by
default (although legacy applications can turn it back on using an
environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" if they need to).
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 20:00:32 UTC 
From the original bug:

------- Comment #1 From Jory A. Pratt 2009-08-04 03:26:50 0000 [reply] -------

Mozilla team I recommend a stabilization of nspr-4.8 with nss-3.12.3, the
thunderbird bug on memory is unconfirmed in my opinion, and security takes
presidency.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 22:41:21 UTC 
nspr-4.8 and nss-3.12.3 are stable now.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-11-07 13:55:39 UTC 
i vote NO
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 16:28:03 UTC 
NO, too. Closing noglsa.