exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 9 of 9 RSS Feed

CVE-2009-2404

Status Candidate

Overview

Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.

Related Files

Debian Linux Security Advisory 2025-1
Posted Apr 1, 2010
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2025-1 - Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client.

tags | advisory, remote, vulnerability
systems | linux, debian
advisories | CVE-2009-2408, CVE-2009-2404, CVE-2009-2463, CVE-2009-3072, CVE-2009-3075, CVE-2010-0163
SHA-256 | 5ccd1a2ad93d249d46e731464cdcc802a972eeda3800afed3825af7057dffa07
VMware Security Advisory 2010-0001
Posted Jan 7, 2010
Authored by VMware | Site vmware.com

VMware Security Advisory - Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) are updated to versions nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This patch fixes several security issues in the service console packages for NSS and NSPR.

tags | advisory
advisories | CVE-2009-2409, CVE-2009-2408, CVE-2009-2404, CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, CVE-2009-3382
SHA-256 | 750bfc5b2e28a67af487861fbcc96e099b1881a6cbe999078d4626cf32cfde37
Mandriva Linux Security Advisory 2009-197
Posted Dec 3, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-197 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. Packages for 2008.0 are being provided due to extended support for Corporate products.

tags | advisory, spoof, code execution
systems | linux, mandriva
advisories | CVE-2009-2408, CVE-2009-2409, CVE-2009-2404
SHA-256 | ecd423cda5abf43a8f153f67b66965b14d04a924ca31a32378cc5c2e7e74b029
Mandriva Linux Security Advisory 2009-197
Posted Sep 11, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-197-2 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. This update also provides fixed packages for Mandriva Linux 2008.1 and fixes mozilla-thunderbird error messages.

tags | advisory, spoof, code execution
systems | linux, mandriva
advisories | CVE-2009-2408, CVE-2009-2409, CVE-2009-2404
SHA-256 | 394905da2291d3fb11814cfdd3fb15394407e4aae6c16a48e8e81df3b42b194f
Debian Linux Security Advisory 1874-1
Posted Aug 26, 2009
Authored by Debian | Site debian.org

Debian Security Advisory 1874-1 - Several vulnerabilities have been discovered in the Network Security Service libraries.

tags | advisory, vulnerability
systems | linux, debian
advisories | CVE-2009-2404, CVE-2009-2408, CVE-2009-2409
SHA-256 | c3c145e663c0e41608a4517f6698e23ceea9427cb81c0b2b53641a715105c451
Mandriva Linux Security Advisory 2009-216
Posted Aug 24, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-216 - A number of security vulnerabilities have been discovered in the NSS and NSPR libraries and in Mozilla Thunderbird.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2009-2625, CVE-2009-2408, CVE-2009-2409, CVE-2009-2404
SHA-256 | e8e619c27abfa1ea866f6d756a974aa55669f6f2b6b85c33173163bb95017751
Mandriva Linux Security Advisory 2009-198
Posted Aug 11, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-198 - Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location. Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates.

tags | advisory, overflow, arbitrary, spoof
systems | linux, mandriva
advisories | CVE-2009-2654, CVE-2009-2404, CVE-2009-2408
SHA-256 | 75f839274f8e82729d0a4c1aca579dbfb860f6c2f1f69f8353c4f57860a78bd7
Mandriva Linux Security Advisory 2009-197
Posted Aug 11, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-197 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks.

tags | advisory, spoof, code execution
systems | linux, mandriva
advisories | CVE-2009-2408, CVE-2009-2409, CVE-2009-2404
SHA-256 | bd0fc6956d963e958bc33f7098949780b68da008df3fe89a2bb4d9f2af528903
Ubuntu Security Notice 810-1
Posted Aug 6, 2009
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice USN-810-1 - Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site.

tags | advisory, remote, denial of service, arbitrary
systems | linux, ubuntu
advisories | CVE-2009-2404, CVE-2009-2408, CVE-2009-2409
SHA-256 | 551f75cb720ebd7eaa1e942d3bd0085543b035e372926a826f94e7e0b94f1eb5
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close