Bug 147838

Summary:

www-client/opera - ssl/dns spoofing vulnerability

Product:

Gentoo Security

Reporter:

Carsten Lohrke (RETIRED) <carlo>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

axxo, denilsonsa, jer

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://www.cdc.informatik.tu-darmstadt.de/securebrowser/

Whiteboard:

B3? [glsa] jaervosz

Package list:

Runtime testing required:

---

Bug Depends on:

146702

Bug Blocks:

Attachments:

Description	Flags
opera 9.02 ebuild	none
opera 9.02 install patch	none

Description Carsten Lohrke (RETIRED) gentoo-dev

2006-09-16 11:12:31 UTC

According to this

Comment 1 Carsten Lohrke (RETIRED) gentoo-dev

2006-09-16 11:12:31 UTC

According to this¹ site, Opera, similar to the recently fixed openssl and mozilla packages, accepts faked ssl certificates as well.


[1] http://www.cdc.informatik.tu-darmstadt.de/securebrowser/

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-17 07:31:33 UTC

This should be fixed in 9.02.

Comment 3 Wolf Giesen (RETIRED) gentoo-dev

2006-09-21 04:02:59 UTC

*** Bug 148489 has been marked as a duplicate of this bug. ***

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-21 04:11:17 UTC

Axxo, 9.02 is available. Please bump.

Comment 5 Wolf Giesen (RETIRED) gentoo-dev

2006-09-21 04:36:26 UTC

Huh, isn't that 9.02 RC2, still?

Comment 6 Wolf Giesen (RETIRED) gentoo-dev

2006-09-21 04:37:44 UTC

/me kicks squid :(

Comment 7 Eion Robb 2006-09-21 15:04:13 UTC

Created attachment 97697 [details]
opera 9.02 ebuild

Comment 8 Eion Robb 2006-09-21 15:04:52 UTC

Created attachment 97698 [details, diff]
opera 9.02 install patch

put into files/ directory with ebuild

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2006-09-21 15:30:30 UTC

(In reply to comment #6)
> Created an attachment (id=97697) [edit]
> opera 9.02 ebuild
> 

(In reply to comment #7)
> Created an attachment (id=97698) [edit]
> opera 9.02 install patch
> 
> put into files/ directory with ebuild
> 

Sorry, both of you. As bug 146702 shows, the ebuild has been in the tree for a few decaminutes and the stabilisation procedure has started. This bug depends on the stabilisation bug.

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2006-09-23 08:57:29 UTC

www-client/opera-9.02 is stable on all arches.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-23 09:51:35 UTC

This one is ready for GLSA vote.

Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev

2006-09-23 12:25:06 UTC

*cough* stabling of security bugs should be handled on the related security bug report, not on other bug reports ...

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-23 13:43:33 UTC

@Jeroen, Tobias is right. We usually mark stable on the security bug so arches know what is up.

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev

2006-09-23 14:07:30 UTC

(In reply to comment #12)
> @Jeroen, Tobias is right. We usually mark stable on the security bug so arches
> know what is up.

Right. Could you point me toward the relevant documentation?

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-23 22:23:39 UTC

http://www.gentoo.org/security/en/vulnerability-policy.xml
http://www.gentoo.org/security/en/coordinator_guide.xml

Only some parts of the GLSA Coordinator Guide are relevant.

If you have any questions just pop in #-security and ask.

Now back to bug voting :-)

Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev

2006-09-26 11:24:05 UTC

tending to vote yes

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-26 13:06:14 UTC

Security please vote.

Comment 18 Wolf Giesen (RETIRED) gentoo-dev

2006-09-26 22:04:40 UTC

Since it contains a fix for the same problem as GLSA'd openssl/gnutls I say YES.

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-27 01:11:53 UTC

Voting YES. Let's have a GLSA.

Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev

2006-09-28 07:26:32 UTC

GLSA 200609-18

thanks everyone