Package: openldap Version: 2.4.17-2.1 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for openldap.
CVE-2009-2408[0]: | Mozilla Network Security Services (NSS) before 3.12.3, Firefox before | 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do | not properly handle a '\0' character in a domain name in the subject's | Common Name (CN) field of an X.509 certificate, which allows | man-in-the-middle attackers to spoof arbitrary SSL servers via a | crafted certificate issued by a legitimate Certification | Authority. NOTE: this was originally reported for Firefox before 3.5. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. I've checked that the patch [1] is not applied in the latest version in unstable; however, there is a note that isn't very clear about whether this is actually needed [2], but perhaps to err on the side of caution, it should be applied regardless. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 http://security-tracker.debian.org/tracker/CVE-2009-2408 [1] http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h [2] http://marc.info/?l=oss-security&m=125198917018936&w=2 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
