Vulnerabilities according to URL: http://www.opera.com/support/search/view/929/ http://www.opera.com/support/search/view/930/ http://www.opera.com/support/search/view/931/ http://www.opera.com/support/search/view/932/ http://www.opera.com/support/search/view/934/ Resolution: stabilise =www-client/opera-10.00 amd64 ppc x86
CVE-2009-3044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3044): Opera before 10.00 does not properly handle a (1) '\0' character or (2) invalid wildcard character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVE-2009-3045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3045): Opera before 10.00 trusts root X.509 certificates signed with the MD2 algorithm, which makes it easier for man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted server certificate. CVE-2009-3046 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3046): Opera before 10.00 does not check all intermediate X.509 certificates for revocation, which makes it easier for remote SSL servers to bypass validation of the certificate chain via a revoked certificate. CVE-2009-3047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3047): Opera before 10.00, when a collapsed address bar is used, does not properly update the domain name from the previously visited site to the currently visited site, which might allow remote attackers to spoof URLs. CVE-2009-3048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3048): Opera before 10.00 on Linux, Solaris, and FreeBSD does not properly implement the "INPUT TYPE=file" functionality, which allows remote attackers to trick a user into uploading an unintended file via vectors involving a "dropped file." CVE-2009-3049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3049): Opera before 10.00 does not properly display all characters in Internationalized Domain Names (IDN) in the address bar, which allows remote attackers to spoof URLs and conduct phishing attacks, related to Unicode and Punycode.
Dear arch teams, please test and stabilise =www-client/opera-10.00 ( amd64,ppc,x86 )
x86 stable
amd64 stable
ppc stable
CVE-2009-2063 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2063): Opera, possibly before 9.25, processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site.
GLSA voting: I'd say YES.
YES too, request filed.
This issue was resolved and addressed in GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml by GLSA coordinator Sean Amoss (ackle).
