FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-2404

This CVE name corresponds to:

Entered Topic
2009-08-04 mozilla -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2009-2404 at cve.mitre.org

Details

Type Candidate
Name CVE-2009-2404
Phase Assigned(20090709)

Description

Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.

References

Source Reference
MISC http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=512912
CONFIRM http://www.mozilla.org/security/announce/2009/mfsa2009-43.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html
DEBIAN DSA-1874
MANDRIVA MDVSA-2009:197
MANDRIVA MDVSA-2009:216
REDHAT RHSA-2009:1185
REDHAT RHSA-2009:1207
SUNALERT 273910
SUNALERT 1021030
SUNALERT 1021699
SUSE SUSE-SA:2009:048
UBUNTU USN-810-1
UBUNTU USN-810-2
CERT TA10-103B
BID 35891
OVAL oval:org.mitre.oval:def:11174
OVAL oval:org.mitre.oval:def:8658
SECUNIA 36102
SECUNIA 36088
SECUNIA 36125
SECUNIA 36139
SECUNIA 36157
SECUNIA 36434
SECUNIA 39428
SECUNIA 37098
VUPEN ADV-2009-2085

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.