CVE-2009-2409

Name of the Vulnerable Software and Affected Versions Network Security Services (NSS) library versions prior to 3.12.3 GnuTLS versions prior to 2.6.4 and 2.7.4 OpenSSL versions 0.9.8 through 0.9.8k

Description The issue allows remote attackers to potentially spoof certificates by exploiting MD2 design flaws to generate a hash collision in less than brute-force time. This could lead to violations of confidentiality, integrity, and availability of protected information. The scope of this issue is currently limited due to the large amount of computation required.

Recommendations For Network Security Services (NSS) library versions prior to 3.12.3, update to version 3.12.3 or later. For GnuTLS versions prior to 2.6.4 and 2.7.4, update to version 2.6.4 or 2.7.4 or later. For OpenSSL versions 0.9.8 through 0.9.8k, update to version 0.9.8l or later. As a temporary workaround, consider restricting the use of MD2 with X.509 certificates until a patch is available.