Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280595 - <dev-libs/nss-3.12.3-r1 Disable MD2 digest algorithm (CVE-2009-2409)
Summary: <dev-libs/nss-3.12.3-r1 Disable MD2 digest algorithm (CVE-2009-2409)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [noglsa]
Depends on: 280837 280839
Blocks: CVE-2009-2409
  Show dependency tree
Reported: 2009-08-06 19:59 UTC by Robert Buchholz (RETIRED)
Modified: 2009-11-07 16:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:59:07 UTC
+++ This bug was initially created as a clone of Bug #280227 +++

CVE-2009-2409 (
  The NSS library before 3.12.3, as used in Firefox; GnuTLS before
  2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products
  support MD2 with X.509 certificates, which might allow remote
  attackers to spoof certificates by using MD2 design flaws to generate
  a hash collision in less than brute-force time.  NOTE: the scope of
  this issue is currently limited because the amount of computation
  required is still large.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 19:59:50 UTC
Mark Cox wrote:
The NSS library since version 3.12.3 (April 2009) has disabled MD2 by
default (although legacy applications can turn it back on using an
environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" if they need to).
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 20:00:32 UTC
From the original bug:

------- Comment #1 From Jory A. Pratt 2009-08-04 03:26:50 0000 [reply] -------

Mozilla team I recommend a stabilization of nspr-4.8 with nss-3.12.3, the
thunderbird bug on memory is unconfirmed in my opinion, and security takes

Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 22:41:21 UTC
nspr-4.8 and nss-3.12.3 are stable now.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-11-07 13:55:39 UTC
i vote NO
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 16:28:03 UTC
NO, too. Closing noglsa.