Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 280591 - <dev-libs/openssl-0.9.8l-r2 Disable MD2 to prevent certificate spoofing (CVE-2009-2409)
Summary: <dev-libs/openssl-0.9.8l-r2 Disable MD2 to prevent certificate spoofing (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [glsa]
Keywords:
Depends on: 292022 294615
Blocks: CVE-2009-2409
  Show dependency tree
 
Reported: 2009-08-06 19:54 UTC by Robert Buchholz (RETIRED)
Modified: 2009-12-01 21:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:54:27 UTC
+++ This bug was initially created as a clone of Bug #280227 +++

CVE-2009-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2409):
  The NSS library before 3.12.3, as used in Firefox; GnuTLS before
  2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products
  support MD2 with X.509 certificates, which might allow remote
  attackers to spoof certificates by using MD2 design flaws to generate
  a hash collision in less than brute-force time.  NOTE: the scope of
  this issue is currently limited because the amount of computation
  required is still large.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:55:22 UTC
Mark Cox wrote:

So for upstream OpenSSL we have disabled MD2 support completely.  This
was done in two stages; the first was a patch in June 2009
(http://marc.info/?l=openssl-cvs&m=124508133203041&w=2) that removed
the check of a trusted root self-signed certificate.  Then MD2 was
disabled in July, (http://cvs.openssl.org/chngview?cn=18381).  Although there
have not yet been any
upstream releases containing these fixes, future OpenSSL 0.9.8 (after
0.9.8k), and OpenSSL 1.0.0 releases will contain this fix.
Comment 2 SpanKY gentoo-dev 2009-11-05 19:56:49 UTC
openssl-0.9.8l is in the tree now
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-05 22:34:08 UTC
Stabilization via bug 292022.
Comment 4 SpanKY gentoo-dev 2009-11-21 03:29:56 UTC
CVE-2009-2409 wasnt in the 0.9.8l release, so i added it to 0.9.8l-r1
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-01 21:33:37 UTC
GLSA 200912-01