Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 147838

Summary: www-client/opera - ssl/dns spoofing vulnerability
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: axxo, denilsonsa, jer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
Whiteboard: B3? [glsa] jaervosz
Package list:
Runtime testing required: ---
Bug Depends on: 146702    
Bug Blocks:    
Attachments:
Description Flags
opera 9.02 ebuild
none
opera 9.02 install patch none

Description Carsten Lohrke (RETIRED) gentoo-dev 2006-09-16 11:12:31 UTC
According to this
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2006-09-16 11:12:31 UTC
According to thisĀ¹ site, Opera, similar to the recently fixed openssl and mozilla packages, accepts faked ssl certificates as well.


[1] http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-17 07:31:33 UTC
This should be fixed in 9.02.
Comment 3 Wolf Giesen (RETIRED) gentoo-dev 2006-09-21 04:02:59 UTC
*** Bug 148489 has been marked as a duplicate of this bug. ***
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-21 04:11:17 UTC
Axxo, 9.02 is available. Please bump.
Comment 5 Wolf Giesen (RETIRED) gentoo-dev 2006-09-21 04:36:26 UTC
Huh, isn't that 9.02 RC2, still?
Comment 6 Wolf Giesen (RETIRED) gentoo-dev 2006-09-21 04:37:44 UTC
/me kicks squid :(
Comment 7 Eion Robb 2006-09-21 15:04:13 UTC
Created attachment 97697 [details]
opera 9.02 ebuild
Comment 8 Eion Robb 2006-09-21 15:04:52 UTC
Created attachment 97698 [details, diff]
opera 9.02 install patch

put into files/ directory with ebuild
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2006-09-21 15:30:30 UTC
(In reply to comment #6)
> Created an attachment (id=97697) [edit]
> opera 9.02 ebuild
> 

(In reply to comment #7)
> Created an attachment (id=97698) [edit]
> opera 9.02 install patch
> 
> put into files/ directory with ebuild
> 

Sorry, both of you. As bug 146702 shows, the ebuild has been in the tree for a few decaminutes and the stabilisation procedure has started. This bug depends on the stabilisation bug.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2006-09-23 08:57:29 UTC
www-client/opera-9.02 is stable on all arches.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-23 09:51:35 UTC
This one is ready for GLSA vote.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-23 12:25:06 UTC
*cough* stabling of security bugs should be handled on the related security bug report, not on other bug reports ...
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-23 13:43:33 UTC
@Jeroen, Tobias is right. We usually mark stable on the security bug so arches know what is up.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2006-09-23 14:07:30 UTC
(In reply to comment #12)
> @Jeroen, Tobias is right. We usually mark stable on the security bug so arches
> know what is up.

Right. Could you point me toward the relevant documentation?
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-23 22:23:39 UTC
http://www.gentoo.org/security/en/vulnerability-policy.xml
http://www.gentoo.org/security/en/coordinator_guide.xml

Only some parts of the GLSA Coordinator Guide are relevant.

If you have any questions just pop in #-security and ask.

Now back to bug voting :-)
Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-26 11:24:05 UTC
tending to vote yes
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-26 13:06:14 UTC
Security please vote.
Comment 18 Wolf Giesen (RETIRED) gentoo-dev 2006-09-26 22:04:40 UTC
Since it contains a fix for the same problem as GLSA'd openssl/gnutls I say YES.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-27 01:11:53 UTC
Voting YES. Let's have a GLSA.
Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-28 07:26:32 UTC
GLSA 200609-18

thanks everyone