mozilla: Overriding built-in certificate leading to error -8182 (DoS), especially exploitable by email
Bug #7084 reported by
Debian Bug Importer
This bug report is a duplicate of:
Bug #7076: Overriding built-in certificate leading to error -8182 (DoS), especially exploitable by email.
Edit
Remove
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mozilla (Debian) |
Fix Released
|
Unknown
|
|||
mozilla (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #259946 http://
Changed in mozilla: | |
status: | Unknown → Fix Released |
To post a comment you must log in.
Message-ID: <email address hidden>
Date: Sat, 17 Jul 2004 15:20:01 +0200
From: Martin Helas <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla: Overriding built-in certificate leading to error -8182 (DoS),
especially exploitable by email
--ZPt4rx8FFjLCG7dd Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: mozilla
Version: Overriding built-in certificate leading to error -8182 (DoS), espe=
cially exploitable by email
Severity: critical
Tags: security
Please have a look at bugzilla. mozilla. org/show_ bug.cgi? id=3D249004
http://
Importing a self-made certificate (call it x) with the same DN (but differe=
nt
serial nr) as a built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an error -=
8182
('certificate presented by xyz.com is invalid or corrupt') -> Denial of Ser=
vice.
This bug may also effect other packages (e.g. mozilla-firefox)
Greetings
Martin
-- System Information: US.ISO- 8859-15, LC_CTYPE= 3Den_US. ISO-8859- 15 www.helas. net or http:// mhelas. blogspot. com Fingerprint: 14744CACEF5CECF AE29E2CB17929AB 90F7AC3AF0
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=3Den_
--=20
Martin Helas <email address hidden> or <email address hidden>
http://
GPGKey-
--ZPt4rx8FFjLCG7dd pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
SeBeSmrkPesOvAR AoHlAJ9dxU7+ VA/MyJFpXyHQstI x9xJtYwCeOg6+ 4/DlhxGohVifNY=
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA+
U8r0omXM+
=p7oi
-----END PGP SIGNATURE-----
--ZPt4rx8FFjLCG 7dd--