= Security = - Fixed - * Fixed a moderately severe issue; details will be disclosed at a later date * Fixed an issue that could allow pages to set cookies or communicate cross-site for some top level domains; see our advisory[1] * Improved handling of certificate revocation corner cases * Added a fix for a weakness in the SSL v3.0 and TLS 1.0 specifications, as reported by Thai Duong and Juliano Rizzo; see our advisory[2] * Fixed an issue where the JavaScript "in" operator allowed leakage of cross-domain information, as reported by David Bloom; see our advisory[3] [1] http://www.opera.com/support/kb/view/1003/ [2] http://www.opera.com/support/kb/view/1004/ [3] http://www.opera.com/support/kb/view/1005/
Arch teams, please test and mark stable: =www-client/opera-11.60.1185 Target KEYWORDS="amd64 x86"
There is more than one vulnerabilities, but secunia, atm, shows only one CVE number. I will investigate. https://secunia.com/advisories/47077/
amd64 ok'
x86 stable
amd64: pass
Stable for AMD64, thanks Elijah @security, please confirm B4 and go to vote.
Thanks, folks. GLSA vote: yes, since the issue with undisclosed details is likely more severe.
CVE-2011-4683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4683): Unspecified vulnerability in Opera before 11.60 has unknown impact and attack vectors, related to a "moderately severe issue." CVE-2011-4682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4682): The JavaScript engine in Opera before 11.60 does not properly implement the in operator, which allows remote attackers to bypass the Same Origin Policy via vectors related to variables on different web sites. CVE-2011-4681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4681): Opera before 11.60 does not properly consider the number of . (dot) characters that conventionally exist in domain names of different top-level domains, which allows remote attackers to bypass the Same Origin Policy by leveraging access to a different domain name in the same top-level domain, as demonstrated by the .no or .uk domain.
Added to pending GLSA.
This issue was resolved and addressed in GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml by GLSA coordinator Sean Amoss (ackle).