mozilla-firefox: [CAN-2004-0763] Certificates spoof

Automatically imported from Debian bug report #263193 http://bugs.debian.org/263193

Message-Id: <email address hidden>
Date: Tue, 03 Aug 2004 12:03:39 +0200
From: "J.H.M. Dassen \(Ray\)" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-firefox: [CAN-2004-0763] Certificates spoof

Package: mozilla-firefox
Version: 0.9.1-7
Severity: grave
Tags: security upstream fixed-upstream patch
Justification: user security hole

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763 :

+-----------------------------------------------------------------------------+
| Name | CAN-2004-0763 (under review) |
|-------------+---------------------------------------------------------------|
| | Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to |
| Description | spoof certificates of trusted web sites via redirects and |
| | Javascript that uses the "onunload" method. |
|-------------+---------------------------------------------------------------|
| | * BUGTRAQ:20040726 Mozilla Firefox Certificate Spoofing |
| | * URL:http://marc.theaimsgroup.com/?l=bugtraq&m= |
| | 109087067730938&w=2 |
| | * FULLDISC:20040725 Mozilla Firefox Certificate Spoofing |
| References | * URL:http://lists.netsys.com/pipermail/full-disclosure/ |
| | 2004-July/024372.html |
| | * CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id= |
| | 253121 |
| | * MISC:http://secunia.com/advisories/12160/ |
|-------------+---------------------------------------------------------------|

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-rc2
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1

Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 22:04:56 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Subject: Re: mozilla-firefox: [CAN-2004-0763] Certificates spoof

On Tue, Aug 03, 2004 at 12:03:39 +0200, J.H.M. Dassen (Ray) wrote:
> * CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=253121

This bug is among those fixed in Mozilla 1.7.2; see
        http://www.mozilla.org/releases/mozilla1.7.2/
and on the firefox site, I suspect it is fixed in 0.9.3 (haven't found
confirmation yet).

Ray
--
"The problem with the global village is all the global village idiots."
 Paul Ginsparg

Message-Id: <email address hidden>
Date: Thu, 05 Aug 2004 01:32:52 -0400
From: Eric Dorland <email address hidden>
To: <email address hidden>
Subject: Bug#263193: fixed in mozilla-firefox 0.9.3-1

Source: mozilla-firefox
Source-Version: 0.9.3-1

We believe that the bug you reported is fixed in the latest version of
mozilla-firefox, which is due to be installed in the Debian FTP archive:

mozilla-firefox-dom-inspector_0.9.3-1_i386.deb
  to pool/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_0.9.3-1_i386.deb
mozilla-firefox_0.9.3-1.diff.gz
  to pool/main/m/mozilla-firefox/mozilla-firefox_0.9.3-1.diff.gz
mozilla-firefox_0.9.3-1.dsc
  to pool/main/m/mozilla-firefox/mozilla-firefox_0.9.3-1.dsc
mozilla-firefox_0.9.3-1_i386.deb
  to pool/main/m/mozilla-firefox/mozilla-firefox_0.9.3-1_i386.deb
mozilla-firefox_0.9.3.orig.tar.gz
  to pool/main/m/mozilla-firefox/mozilla-firefox_0.9.3.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <email address hidden> (supplier of updated mozilla-firefox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 4 Aug 2004 20:21:22 -0400
Source: mozilla-firefox
Binary: mozilla-firefox mozilla-firefox-dom-inspector
Architecture: source i386
Version: 0.9.3-1
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
 mozilla-firefox - lightweight web browser based on Mozilla
 mozilla-firefox-dom-inspector - tool for inspecting the DOM of pages in Mozilla Firefox
Closes: 262679 263149 263193
Changes:
 mozilla-firefox (0.9.3-1) unstable; urgency=low
 .
   * New upstream release. (Closes: #263193)
   * debian/update-mozilla-firefox-chrome.8: Add manpage from Mark Suter
     for update-mozilla-firefox-chrome.8. (Closes: #263149)
   * debian/mozilla-firefox.manpages: Add update-mozilla-firefox-chrome.8.
   * debian/control: Add build-deps on gcc-3.4 for amd64. (Closes: #262679)
Files:
 9e12d8b2081f3ca430bf62d69c822057 879 web optional mozilla-firefox_0.9.3-1.dsc
 36df24ee1433cbad6af2cc7b4bb59638 41689236 web optional mozilla-firefox_0.9.3.orig.tar.gz
 7e2f5855b1d22b8e322de14d863ba34f 162740 web optional mozilla-firefox_0.9.3-1.diff.gz
 ea249e47d4f2c2f4c8927798cae518e2 9832120 web optional mozilla-firefox_0.9.3-1_i386.deb
 abf884c6ff92820fa412a4e401c7b048 139214 web optional mozilla-firefox-dom-inspector_0.9.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBEbrPYemOzxbZcMYRAtIYAJ9VSoTCTzjafqA80EvLm7yqOXinAQCfXFKp
VgdOlxKg+j+JA/PeBxR83Y8=
=S25Y
-----END PGP SIGNATURE-----

Synced 0.9.3 from unstable