Summary: | <www-client/opera-11.51.1087 - Unsecured web content may appear to be secure or trusted through Extended Validation (CVE-2011-{3388,3389}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jer |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/45791/ | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-08-31 12:01:48 UTC
Arch teams, please test and mark stable: =www-client/opera-11.51.1087 Target KEYWORDS="amd64 x86" http://www.opera.com/support/kb/view/1000/ == Unsecured web content may appear to be secure or trusted through Extended Validation == = Severity = High = Description = Insecure sites should be shown in the address field as insecure (displayed as "Web" in the address field). When certain content is loaded and manipulated in a specific sequence, it can cause Opera to display the security information from the loaded resources in the address field and page information dialog. This allows a malicious page to display the security information from a secure or trusted third party, instead of its own security information. Adding severity=4 per Tim's suggestion. amd64 ok amd64: pass + 01 Sep 2011; Tony Vroon <chainsaw@gentoo.org> opera-11.51.1087.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Elijah "Armageddon" El Lazkani in security bug #381275. x86 stable Thanks all, adding glsa vote. Thanks, folks. GLSA Vote: no. CVE-2011-3388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3388): Opera before 11.51 allows remote attackers to cause an insecure site to appear secure or trusted via unspecified actions related to Extended Validation and loading content from trusted sources in an unspecified sequence that causes the address field and page information dialog to contain security information based on the trusted site, instead of the insecure site. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml by GLSA coordinator Sean Amoss (ackle). |