Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 147838 - www-client/opera - ssl/dns spoofing vulnerability
Summary: www-client/opera - ssl/dns spoofing vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.cdc.informatik.tu-darmstad...
Whiteboard: B3? [glsa] jaervosz
Keywords:
: 148489 (view as bug list)
Depends on: 146702
Blocks:
  Show dependency tree
 
Reported: 2006-09-16 11:12 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-09-28 07:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
opera 9.02 ebuild (opera-9.02.ebuild,4.33 KB, text/plain)
2006-09-21 15:04 UTC, Eion Robb
no flags Details
opera 9.02 install patch (opera-9.02-install.patch,317 bytes, patch)
2006-09-21 15:04 UTC, Eion Robb
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-09-16 11:12:31 UTC
According to this
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2006-09-16 11:12:31 UTC
According to this¹ site, Opera, similar to the recently fixed openssl and mozilla packages, accepts faked ssl certificates as well.


[1] http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-17 07:31:33 UTC
This should be fixed in 9.02.
Comment 3 Wolf Giesen (RETIRED) gentoo-dev 2006-09-21 04:02:59 UTC
*** Bug 148489 has been marked as a duplicate of this bug. ***
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-21 04:11:17 UTC
Axxo, 9.02 is available. Please bump.
Comment 5 Wolf Giesen (RETIRED) gentoo-dev 2006-09-21 04:36:26 UTC
Huh, isn't that 9.02 RC2, still?
Comment 6 Wolf Giesen (RETIRED) gentoo-dev 2006-09-21 04:37:44 UTC
/me kicks squid :(
Comment 7 Eion Robb 2006-09-21 15:04:13 UTC
Created attachment 97697 [details]
opera 9.02 ebuild
Comment 8 Eion Robb 2006-09-21 15:04:52 UTC
Created attachment 97698 [details, diff]
opera 9.02 install patch

put into files/ directory with ebuild
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2006-09-21 15:30:30 UTC
(In reply to comment #6)
> Created an attachment (id=97697) [edit]
> opera 9.02 ebuild
> 

(In reply to comment #7)
> Created an attachment (id=97698) [edit]
> opera 9.02 install patch
> 
> put into files/ directory with ebuild
> 

Sorry, both of you. As bug 146702 shows, the ebuild has been in the tree for a few decaminutes and the stabilisation procedure has started. This bug depends on the stabilisation bug.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2006-09-23 08:57:29 UTC
www-client/opera-9.02 is stable on all arches.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-23 09:51:35 UTC
This one is ready for GLSA vote.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-23 12:25:06 UTC
*cough* stabling of security bugs should be handled on the related security bug report, not on other bug reports ...
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-23 13:43:33 UTC
@Jeroen, Tobias is right. We usually mark stable on the security bug so arches know what is up.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2006-09-23 14:07:30 UTC
(In reply to comment #12)
> @Jeroen, Tobias is right. We usually mark stable on the security bug so arches
> know what is up.

Right. Could you point me toward the relevant documentation?
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-23 22:23:39 UTC
http://www.gentoo.org/security/en/vulnerability-policy.xml
http://www.gentoo.org/security/en/coordinator_guide.xml

Only some parts of the GLSA Coordinator Guide are relevant.

If you have any questions just pop in #-security and ask.

Now back to bug voting :-)
Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-26 11:24:05 UTC
tending to vote yes
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-26 13:06:14 UTC
Security please vote.
Comment 18 Wolf Giesen (RETIRED) gentoo-dev 2006-09-26 22:04:40 UTC
Since it contains a fix for the same problem as GLSA'd openssl/gnutls I say YES.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-27 01:11:53 UTC
Voting YES. Let's have a GLSA.
Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-28 07:26:32 UTC
GLSA 200609-18

thanks everyone