'Re: [oss-security] CVE request: firefox doesn't (re)validate'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: firefox doesn't (re)validate
From:       Reed Loden <reed () reedloden ! com>
Date:       2011-05-31 21:15:18
Message-ID: 20110531141518.462507cf () angelo ! pretender ! us
[Download RAW message or body]

Mozilla has assigned this CVE-2011-0082.

Thanks all,
~reed

On Tue, 31 May 2011 13:09:59 -0700
Reed Loden <reed@reedloden.com> wrote:

> Looks like Red Hat reported this upstream to Mozilla late last night...
> 
> Mozilla is tracking this as
> https://bugzilla.mozilla.org/show_bug.cgi?id=660749.
> 
> No CVE has been assigned yet (afaict), but I'll see about getting one
> assigned once this has been confirmed.
> 
> ~reed
> 
> On Tue, 31 May 2011 15:42:58 -0400 (EDT)
> Josh Bressers <bressers@redhat.com> wrote:
> 
> > I'm going to save this one for upstream. It's possible they've already
> > assigned something (Mozilla is a CNA).
> > 
> > I've CC'd Reed in the rare event he doesn't know about this.
> > 
> > Thanks.
> > 
> > -- 
> >     JB
> > 
> > ----- Original Message -----
> > > Hi,
> > > found this in RH's bugzilla:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=709165
> > > 
> > > Vincent Danen 2011-05-30 18:38:43 EDT
> > > 
> > > A Debian bug report [1] indicated that Firefox 4.0.x handled the
> > > validation/revalidation of SSL certificates improperly. If a user were
> > > to
> > > visit a site with an untrusted certificate, Firefox would correctly
> > > display the
> > > warning about the untrusted connection. If a user were to confirm the
> > > security
> > > exception for a single session (not check off the "permanently store
> > > this
> > > exception"), then restart the browser and re-load the page, the
> > > contents of the
> > > page would be displayed from the Firefox cache. Upon reloading the
> > > page, the
> > > security warning would appear, but incorrectly indicates that the site
> > > provides
> > > a valid, verified certificate and there is no way to confirm the
> > > exception.
> > > [...]
> > > 
> > > --
> > > Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
> > > SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
> > > 21284 (AG Nürnberg
> > > --
> > > Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
> > > -- Marie von Ebner-Eschenbach

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic