Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 326413 - <www-client/opera-10.60: Multiple vulnerabilities (CVE-2010-{2663,2664})
Summary: <www-client/opera-10.60: Multiple vulnerabilities (CVE-2010-{2663,2664})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.opera.com/docs/changelogs/...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-01 08:45 UTC by Jeroen Roovers (RETIRED)
Modified: 2012-06-15 17:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2010-07-01 08:45:40 UTC
Arch teams, please test and mark stable:
=www-client/opera-10.60
Target KEYWORDS="amd64 ppc x86 ~x86-fbsd"

 = Security =
 * Improved *
Implemented validation of certificates used in widget signatures using OCSP
 * Fixed *
- Fixed vulnerability in Renegotiation feature of the TLS protocol; see our advisory (http://www.opera.com/support/search/view/944/)
- Fixed an issue which could be used to trick users into uploading unexpected files, as reported by Andrew Valums; see our advisory (http://www.opera.com/support/search/view/958/).
- Fixed exposure of widget properties to third party domains; see our advisory (http://www.opera.com/support/search/view/959/).
- Fixed an issue where file inputs could disclose the path to selected files; see our advisory (http://www.opera.com/support/search/view/960/).
- Fixed an issue which could allow certain characters to be used for domain name spoofing; see our advisory (http://www.opera.com/support/search/view/961/).

And from the 10.60 beta 1 changelog:
 = Security =
 * Fixed *
- After accepting a certificate, SSL negotiation fails in some circumstances
- Not being able to install a Skandiabanken CA certificate
- Not being able to accept a self-signed certificate

And there's probably more.
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-01 10:31:34 UTC
x86 stable
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-02 01:34:08 UTC
Needs media-libs/libpng-1.4 when USE=gtk.
Comment 3 Pacho Ramos gentoo-dev 2010-07-02 22:00:29 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-08 22:33:24 UTC
Stable for PPC.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-09 16:47:33 UTC
=www-client/opera-10.11 is now package.masked.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 07:34:00 UTC
GLSA Vote: No; looks like the most severe impact is an info leak.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:04:29 UTC
We have an opera GLSA pending, it will be added there.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:20:14 UTC
CVE-2010-2664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2664):
  Opera before 10.60 allows remote attackers to cause a denial of service
  (application hang) via certain HTML content that has an unclosed SPAN
  element with absolute positioning.

CVE-2010-2663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2663):
  Opera before 10.60 allows remote attackers to cause a denial of service
  (application hang) via an ended event handler that changes the SRC attribute
  of an AUDIO element.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:40:41 UTC
This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).