Bug 510197 (CVE-2009-2409)
| Summary: | CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | ahughes, dbhole, emaldona, gecko-bugs-nobody, jlieskov, jpechane, jvanek, kreilly, mvadkert, nmavrogi, nss-nspr-maint, rrelyea, security-response-team, stransky, tmraz, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-10 21:33:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 230399, 513780, 530367, 530368, 532004, 532005, 534067, 534068, 547448, 555167, 555168, 563125, 563127, 565564, 565565, 565580, 565581, 565584, 565585, 582839, 805159 | ||
| Bug Blocks: | |||
|
Description
Mark J. Cox
2009-07-08 10:31:13 UTC
GnuTLS notes: Since 2.6.4 and 2.7.4 MD2 hasn't been allowed by default in a chain. It actually was implemented earlier, but the code was broken, so when backporting it'll need several patches. They also disabled MD5, but if we backport this we do not want to disable MD5 since it will definately break existing things http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00011.html * Version 2.7.4 (released 2009-01-07) also * Version 2.6.4 (released 2009-02-06) ** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures. This is a bugfix -- the previous attempt to do this from internal x509 certificate verification procedures did not return the correct value for certificates using a weak hash. Reported by Daniel Kahn Gillmor <dkg> in <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>, debugged and patch by Tomas Mraz <tmraz> and Daniel Kahn Gillmor <dkg>. 2009-01-06 Daniel Kahn Gillmor <dkg> * lib/x509/verify.c: actually deprecate MD5 and MD2 signatures during X.509 verification by treating them as invalid unless the GNUTLS_VERIFY_ALLOW_SIGN_RSA_{MD5,MD2} flags are present. * Version 2.7.3 (released 2008-12-10) also * Version 2.6.1 (released 2008-11-10) additionally with 2.6.2 ** libgnutls: Fix chain verification for chains that ends with RSA-MD2 CAs. Reported by Michael Kiefer <Michael-Kiefer> in <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507633> forwarded by Andreas Metzler <ametzler.eu.org> in <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3309>. ** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures. This is a bugfix -- the previous attempt to do this from internal x509 certificate verification procedures did not return the correct value for certificates using a weak hash. Reported by Daniel Kahn Gillmor <dkg> in <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>, debugged and patch by Tomas Mraz <tmraz> and Daniel Kahn Gillmor <dkg>. In Red Hat Enterprise Linux, Firefox (and related packages) use the system version of NSS. Therefore as the NSS library is updated to remove MD2 this will cascade into Firefox and related applications. NSS was rebased today by errata RHBA-2009:1161 for Red Hat Enterprise Linux 5 to address other issues. This therefore disables MD2 in Firefox and related packages. This issue was presented by Dan Kaminsky last night at Blackhat. Removing embargo. This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1184 https://rhn.redhat.com/errata/RHSA-2009-1184.html This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1186 https://rhn.redhat.com/errata/RHSA-2009-1186.html This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1190 https://rhn.redhat.com/errata/RHSA-2009-1190.html This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 5.2 Z Stream Via RHSA-2009:1207 https://rhn.redhat.com/errata/RHSA-2009-1207.html This issue has been addressed in seamonkey-nss packages in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1432 https://rhn.redhat.com/errata/RHSA-2009-1432.html This issue has been addressed in java-1.6.0-sun packages in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1560 https://rhn.redhat.com/errata/RHSA-2009-1560.html This issue has been addressed in java-1.5.0-sun packages in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1571 https://rhn.redhat.com/errata/RHSA-2009-1571.html java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in java-1.6.0-openjdk packages in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1584 https://rhn.redhat.com/errata/RHSA-2009-1584.html This issue has been addressed in java-1.5.0-sun packages in following products: Red Hat Network Satellite Server v 5.1 Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html This issue has been addressed in openssl packages in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0054 https://rhn.redhat.com/errata/RHSA-2010-0054.html This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2010:0163 https://rhn.redhat.com/errata/RHSA-2010-0163.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0166 https://rhn.redhat.com/errata/RHSA-2010-0166.html |