808927 – ~www-client/firefox{-bin,}-91.0.1: HTTP/3 header splitting vulnerability

Bug 808927 - ~www-client/firefox{-bin,}-91.0.1: HTTP/3 header splitting vulnerability

Summary: ~www-client/firefox{-bin,}-91.0.1: HTTP/3 header splitting vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:	808929
Blocks:	CVE-2021-29991
	Show dependency tree

Reported:	2021-08-18 19:59 UTC by John Helmert III
Modified:	2021-08-24 16:25 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-08-18 19:59:29 UTC

Need stabilization.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2021-08-18 22:04:19 UTC

(In reply to John Helmert III from comment #0)
> Need stabilization.

No, does not affect any stable firefox version.

Comment 2 Larry the Git Cow gentoo-dev

2021-08-24 13:17:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da107ef65d4b54256399c018f2409d3375ee611a

commit da107ef65d4b54256399c018f2409d3375ee611a
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-08-24 12:19:18 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-08-24 12:52:06 +0000

    www-client/firefox-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/807947
    Bug: https://bugs.gentoo.org/808927
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox-bin/Manifest                  | 194 -----------
 www-client/firefox-bin/firefox-bin-90.0.2.ebuild | 417 -----------------------
 www-client/firefox-bin/firefox-bin-91.0.ebuild   | 384 ---------------------
 3 files changed, 995 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=250bf9a2b6905ed3c1ee7440c3215cf350671e2c

commit 250bf9a2b6905ed3c1ee7440c3215cf350671e2c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-08-24 12:15:13 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-08-24 12:52:05 +0000

    www-client/firefox: security cleanup
    
    Bug: https://bugs.gentoo.org/807947
    Bug: https://bugs.gentoo.org/808927
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox/Manifest               |  293 -------
 www-client/firefox/firefox-78.12.0.ebuild | 1187 -----------------------------
 www-client/firefox/firefox-90.0.2.ebuild  | 1182 ----------------------------
 www-client/firefox/firefox-91.0.ebuild    | 1149 ----------------------------
 4 files changed, 3811 deletions(-)

Comment 3 John Helmert III archtester

2021-08-24 16:25:03 UTC

Only unstable affected, no GLSA.