Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 204337

Summary: Mozilla Browsers SSL subjectAltName:dNSName certificate spoofing (CVE-2008-2809)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mozilla
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=240261
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 230567    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:28:11 UTC 
CVE-2007-6590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6590):
  Mozilla 1.9 M8 and earlier, Mozilla Firefox 2, SeaMonkey 1.1.5, Netscape 9.0,
  and other Mozilla-based web browsers, when a user accepts an SSL server
  certificate on the basis of the CN domain name in the DN field, regard the
  certificate as also accepted for all domain names in subjectAltName:dNSName
  fields, which makes it easier for remote attackers to trick a user into
  accepting an invalid certificate for a spoofed web site.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:56:41 UTC 
Reproducer
  http://test.eonis.net/

Advisory
  http://nils.toedtmann.net/pub/subjectAltName.txt

Upstream bug
  https://bugzilla.mozilla.org/show_bug.cgi?id=240261
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2008-01-05 11:57:42 UTC 
Heh, this bug is from 2004...
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2008-07-18 17:21:11 UTC 
This was fixed in 1.8.1.15
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 18:49:16 UTC 
CVE-2007-6590 is now rejected, use CVE-2008-2809.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 00:43:02 UTC 
GLSA 200808-03