CVE-2009-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2409): The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Mozilla team I recommend a stabilization of nspr-4.8 with nss-3.12.3, the thunderbird bug on memory is unconfirmed in my opinion, and security takes presidency.
Multi-package bugs with several maintainers make no sense. Please use single bugs and a tracker if appropriate.
gnutls 2.6.6 is stable and all versions before 2.6.5 are affected by another GLSA, so this is not an issue.
http://bugs.gentoo.org/show_bug.cgi?id=331299
The NSS library before 3.12.3. 3.12.3-r1 was stabilized in bug 280839 closed Sept 2009. GnuTLS before 2.6.4 and 2.7.4; 2.6.4 was stabilized in bug 264392 and 2.7.6 was stabilized in bug 259018 OpenSSL 0.9.8 through 0.9.8k; 0.9.8l was stabilized in bug 292022 This is a tracker for multiple packages that have been handled individually, as no remaining deps exists I'm closing this.