CVE-2009-2404
icedove - several vulnerabilities
EPSS 21.0%
Description
Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.
How to fix CVE-2009-2404
To remediate CVE-2009-2404, upgrade the affected package to a fixed version below.
- Debian/icedove—upgrade to 2.0.0.24-0lenny1 or later
- —upgrade to 3.12.3-1 or later
- —upgrade to 3.12.3.1-0lenny1 or later
Is CVE-2009-2404 being exploited?
Moderate — EPSS is 21.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2.0.0.24-0lenny1
- from 0, < 3.12.3-1
- from 0, < 3.12.3.1-0lenny1