Summary: | net-www/opera: Still vulnerable to Window Injection | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | lanius |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://secunia.com/advisories/13253/ | ||
Whiteboard: | B4 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 74076 |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2004-12-08 23:57:27 UTC
Unconfirmed. Ccing maintainer to confirm / keep track of upstream. Confirmed with Version 7.54 Final Build 751 This is fixed by 7.54u1 on bug #74076 According to http://secunia.com/advisories/13253/ Opera just partly fixed the windows injection vulnerability : --------- The vendor has issued Security update 7.54u1. However, this update only fixes certain attack vectors, but not the vulnerability. Other attack vectors can therefore still be exploited. --------- I'll reopen this bug as a tracker for the window injection things that may remain. We'll address those fixed in 7.54u1 in bug 74076. Reopening Opera 7.54u2 has been released to fix this and other problems. Lanius please provide an updated ebuild. bumped to opera-7.54-r2, stable on amd64, x86 sparc stable. Please vote on GLSA. I vote YES. Note that this also fixes (afair): bug #74076 bug #74321 Changes since 7.54: Tightened origin check for frames, fixing issue reported in Secunia Advisory 13253. A side effect of this is that documents not passing the origin check will open in a new page. Fixed issue reported by Marc Sch Please vote on GLSA. I vote YES. Note that this also fixes (afair): bug #74076 bug #74321 Changes since 7.54: Tightened origin check for frames, fixing issue reported in Secunia Advisory 13253. A side effect of this is that documents not passing the origin check will open in a new page. Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory. Fixed LiveConnect class access security issue reported by Jouko Pynnönen. Fixed download issue reported by Andreas Sandblad, Secunia Research, described in Secunia Advisory 12981: periods and non-breaking spaces in content-type header type could obscure file type. Improved support for the "must-revalidate" cache directive. Changes since 7.54u1: Security Solved data URL issue described in Secunia Advisory SA13818 Additional fixes for frame injection issue reported in Secunia Advisory SA13253 Miscellaneous Improvements to handling of the must-revalidate directive. Solved stability issue in Japanese version. UNIX specific Added extra warning dialog when opening .sh, .desktop or executables directly from Web or from transfer manager with kfmclient exec. Addresses issue reported in Secunia Advisory SA13447. Fixed crash when importing e-mail. I agree on YES. GLSA 200502-17 |