Bug 303763 (CVE-2009-4629)

Summary:	mail-client/mozilla-thunderbird, www-client/seamonkey, www-client/mozilla-firefox DNS prefetching information disclosure (CVE-2009-{4629,4630})
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED WONTFIX
Severity:	trivial	CC:	mozilla
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.mozilla.org/show_bug.cgi?id=492196
Whiteboard:	~4 [ebuild]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2010-02-06 15:40:18 UTC

CVE-2009-4629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4629):
  Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other
  applications, performs DNS prefetching even when the app type is
  APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote
  attackers to determine the network location of the application's user
  by logging DNS requests, as demonstrated by DNS requests triggered by
  reading text/plain e-mail messages in Thunderbird.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-02-06 15:41:12 UTC

CVE-2009-4630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4630):
  Mozilla Necko, as used in Firefox, SeaMonkey, and other applications,
  performs DNS prefetching of domain names contained in links within
  local HTML documents, which makes it easier for remote attackers to
  determine the network location of the application's user by logging
  DNS requests.  NOTE: the vendor disputes the significance of this
  issue, stating "I don't think we necessarily need to worry about that
  case."

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2010-02-06 15:46:07 UTC

Issues disputed by vendor.
Having looked into this, it seems to be privacy related, but not an absolutely security-related thing that can be patched.

This can be disabled in thunderbird manually (my guess is firefox, too).