DEBIAN-CVE-2009-2409

Advisory lineage Upstream: 1 Downstream: 3

Upstream

CVE-2009-2409

Downstream

DSA-1874-1 DSA-1888-1 DSA-1935-1

Published: 30 Jul 2009, 19:30

Last modified:28 Apr 2026, 20:04

Vulnerability Summary

Overall Risk (default)

minimal

0/100

CVSS Score

No data

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

30 Jul 2009, 19:30

Published

Vulnerability first disclosed

28 Apr 2026, 20:04

Last Modified

Vulnerability information updated

Description

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Affected Systems

debian•nss
< 3.12.3-1 | < 3.12.3-1 | < 3.12.3-1 | < 3.12.3-1
debian•openssl
< 0.9.8k-4 | < 0.9.8k-4 | < 0.9.8k-4 | < 0.9.8k-4

References (1)

https://security-tracker.debian.org/tracker/CVE-2009-2409