Name | CVE-2009-2409 |
Description | The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-1874-1, DSA-1888-1, DSA-1935-1 |
Debian Bugs | 539895, 539899, 539901 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
nss (PTS) | jessie, jessie (lts) | 2:3.26-1+debu8u19 | fixed |
stretch (security) | 2:3.26.2-1.1+deb9u5 | fixed | |
stretch (lts), stretch | 2:3.26.2-1.1+deb9u8 | fixed | |
buster, buster (lts) | 2:3.42.1-1+deb10u9 | fixed | |
buster (security) | 2:3.42.1-1+deb10u8 | fixed | |
bullseye | 2:3.61-1+deb11u3 | fixed | |
bullseye (security) | 2:3.61-1+deb11u4 | fixed | |
bookworm | 2:3.87.1-1 | fixed | |
bookworm (security) | 2:3.87.1-1+deb12u1 | fixed | |
sid, trixie | 2:3.106-1 | fixed | |
openssl (PTS) | jessie, jessie (lts) | 1.0.1t-1+deb8u22 | fixed |
stretch (security) | 1.1.0l-1~deb9u6 | fixed | |
stretch (lts), stretch | 1.1.0l-1~deb9u10 | fixed | |
buster, buster (lts) | 1.1.1n-0+deb10u7 | fixed | |
buster (security) | 1.1.1n-0+deb10u6 | fixed | |
bullseye | 1.1.1w-0+deb11u1 | fixed | |
bullseye (security) | 1.1.1w-0+deb11u2 | fixed | |
bookworm | 3.0.15-1~deb12u1 | fixed | |
bookworm (security) | 3.0.14-1~deb12u2 | fixed | |
sid, trixie | 3.3.2-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
gnutls13 | source | etch | 1.4.4-3+etch5 | DSA-1935-1 | ||
gnutls13 | source | (unstable) | (unfixed) | |||
gnutls26 | source | lenny | 2.4.2-6+lenny2 | DSA-1935-1 | ||
gnutls26 | source | (unstable) | 2.4.2-5 | low | 539901 | |
nss | source | lenny | 3.12.3.1-0lenny1 | DSA-1874-1 | ||
nss | source | (unstable) | 3.12.3-1 | low | 539895 | |
openjdk-6 | source | (unstable) | 6b17~pre3-1 | low | ||
openssl | source | etch | 0.9.8c-4etch9 | DSA-1888-1 | ||
openssl | source | lenny | 0.9.8g-15+lenny5 | DSA-1888-1 | ||
openssl | source | (unstable) | 0.9.8k-4 | low | 539899 | |
openssl097 | source | etch | 0.9.7k-3.1etch5 | DSA-1888-1 | ||
sun-java6 | source | lenny | 6-20-0lenny1 | |||
sun-java6 | source | (unstable) | 6-17-1 |