Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.
References
Link Providers
http://isc.sans.org/diary.html?storyid=7003 cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html cve-icon cve-icon
http://marc.info/?l=oss-security&m=125198917018936&w=2 cve-icon cve-icon
http://osvdb.org/56723 cve-icon cve-icon
http://secunia.com/advisories/36088 cve-icon cve-icon
http://secunia.com/advisories/36125 cve-icon cve-icon
http://secunia.com/advisories/36139 cve-icon cve-icon
http://secunia.com/advisories/36157 cve-icon cve-icon
http://secunia.com/advisories/36434 cve-icon cve-icon
http://secunia.com/advisories/36669 cve-icon cve-icon
http://secunia.com/advisories/37098 cve-icon cve-icon
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1 cve-icon cve-icon
http://www.debian.org/security/2009/dsa-1874 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2009:217 cve-icon cve-icon
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html cve-icon cve-icon
http://www.novell.com/linux/security/advisories/2009_48_firefox.html cve-icon cve-icon
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2009-1207.html cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2009-1432.html cve-icon cve-icon
http://www.securitytracker.com/id?1022632 cve-icon cve-icon
http://www.ubuntu.com/usn/usn-810-1 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/2085 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/3184 cve-icon cve-icon
http://www.wired.com/threatlevel/2009/07/kaminsky/ cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=510251 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2009-2408 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10751 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8458 cve-icon cve-icon
https://usn.ubuntu.com/810-2/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2009-2408 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-07-30T19:00:00

Updated: 2024-08-07T05:52:14.734Z

Reserved: 2009-07-09T00:00:00

Link: CVE-2009-2408

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2009-07-30T19:30:00.313

Modified: 2024-11-21T01:04:48.120

Link: CVE-2009-2408

cve-icon Redhat

Severity : Important

Publid Date: 2009-07-29T00:00:00Z

Links: CVE-2009-2408 - Bugzilla