Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 393395 - <www-client/opera-11.60.1185 - Multiple vulnerabilities (CVE-2011-{4681,4682,4683})
Summary: <www-client/opera-11.60.1185 - Multiple vulnerabilities (CVE-2011-{4681,4682,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.opera.com/docs/changelogs/...
Whiteboard: B4? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-06 13:58 UTC by Jeroen Roovers (RETIRED)
Modified: 2012-06-15 17:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2011-12-06 13:58:05 UTC
= Security =
 - Fixed -
* Fixed a moderately severe issue; details will be disclosed at a later date
* Fixed an issue that could allow pages to set cookies or communicate cross-site for some top level domains; see our advisory[1]
* Improved handling of certificate revocation corner cases
* Added a fix for a weakness in the SSL v3.0 and TLS 1.0 specifications, as reported by Thai Duong and Juliano Rizzo; see our advisory[2]
* Fixed an issue where the JavaScript "in" operator allowed leakage of cross-domain information, as reported by David Bloom; see our advisory[3]

[1] http://www.opera.com/support/kb/view/1003/
[2] http://www.opera.com/support/kb/view/1004/
[3] http://www.opera.com/support/kb/view/1005/
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-06 14:04:36 UTC
Arch teams, please test and mark stable:
=www-client/opera-11.60.1185
Target KEYWORDS="amd64 x86"
Comment 2 Agostino Sarubbo gentoo-dev 2011-12-06 14:11:07 UTC
There is more than one vulnerabilities, but secunia, atm, shows only one CVE number. I will investigate.

https://secunia.com/advisories/47077/
Comment 3 Agostino Sarubbo gentoo-dev 2011-12-06 15:48:43 UTC
amd64 ok'
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-08 17:03:10 UTC
x86 stable
Comment 5 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-12-10 19:25:59 UTC
amd64: pass
Comment 6 Agostino Sarubbo gentoo-dev 2011-12-11 17:25:53 UTC
Stable for AMD64, thanks Elijah

@security, please confirm B4 and go to vote.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-12-11 19:17:40 UTC
Thanks, folks. GLSA vote: yes, since the issue with undisclosed details is likely more severe.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-02-25 04:01:18 UTC
CVE-2011-4683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4683):
  Unspecified vulnerability in Opera before 11.60 has unknown impact and
  attack vectors, related to a "moderately severe issue."

CVE-2011-4682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4682):
  The JavaScript engine in Opera before 11.60 does not properly implement the
  in operator, which allows remote attackers to bypass the Same Origin Policy
  via vectors related to variables on different web sites.

CVE-2011-4681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4681):
  Opera before 11.60 does not properly consider the number of . (dot)
  characters that conventionally exist in domain names of different top-level
  domains, which allows remote attackers to bypass the Same Origin Policy by
  leveraging access to a different domain name in the same top-level domain,
  as demonstrated by the .no or .uk domain.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:15:54 UTC
Added to pending GLSA.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 17:41:29 UTC
This issue was resolved and addressed in
 GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml
by GLSA coordinator Sean Amoss (ackle).