On Wed, Aug 05, 2009 at 03:10:04PM +0200, Kurt Roeckx wrote:
> On Tue, Aug 04, 2009 at 12:13:36PM +0200, Giuseppe Iuculano wrote:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for openssl.
> >
> > CVE-2009-2409[0]:
> > | The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4
> > | and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support
> > | MD2 with X.509 certificates, which might allow remote attackers to
> > | spoof certificates by using MD2 design flaws to generate a hash
> > | collision in less than brute-force time. NOTE: the scope of this
> > | issue is currently limited because the amount of computation required
> > | is still large.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
> > http://security-tracker.debian.net/tracker/CVE-2009-2409
> > Patch: http://cvs.openssl.org/chngview?cn=18381
>
> Looking at security-tracker, it seem this is also tracked as
> CVE-2009-2408?
>
> Please also add openssl097 to the list of affected packages.
>
> Should I prepare packages for stable and oldstable to fix
> this?
Please go ahead. Please also the previous set of issues, which
we failed to properly communicate with you. Sorry about that!
I'll take care of the update.
Thanks,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
