+++ This bug was initially created as a clone of Bug #280227 +++ CVE-2009-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2409): The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Mark Cox wrote: The NSS library since version 3.12.3 (April 2009) has disabled MD2 by default (although legacy applications can turn it back on using an environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" if they need to).
From the original bug: ------- Comment #1 From Jory A. Pratt 2009-08-04 03:26:50 0000 [reply] ------- Mozilla team I recommend a stabilization of nspr-4.8 with nss-3.12.3, the thunderbird bug on memory is unconfirmed in my opinion, and security takes presidency.
nspr-4.8 and nss-3.12.3 are stable now.
i vote NO
NO, too. Closing noglsa.