The NSS library before 3.12.3, as used in Firefox; GnuTLS before
2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products
support MD2 with X.509 certificates, which might allow remote
attackers to spoof certificates by using MD2 design flaws to generate
a hash collision in less than brute-force time. NOTE: the scope of
this issue is currently limited because the amount of computation
required is still large.
Mozilla team I recommend a stabilization of nspr-4.8 with nss-3.12.3, the thunderbird bug on memory is unconfirmed in my opinion, and security takes presidency.
Multi-package bugs with several maintainers make no sense. Please use single bugs and a tracker if appropriate.
gnutls 2.6.6 is stable and all versions before 2.6.5 are affected by another GLSA, so this is not an issue.
The NSS library before 3.12.3. 3.12.3-r1 was stabilized in bug 280839 closed Sept 2009.
GnuTLS before 2.6.4 and 2.7.4; 2.6.4 was stabilized in bug 264392 and 2.7.6 was stabilized in bug 259018
OpenSSL 0.9.8 through 0.9.8k; 0.9.8l was stabilized in bug 292022
This is a tracker for multiple packages that have been handled individually, as no remaining deps exists I'm closing this.