Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204337 - Mozilla Browsers SSL subjectAltName:dNSName certificate spoofing (CVE-2008-2809)
Summary: Mozilla Browsers SSL subjectAltName:dNSName certificate spoofing (CVE-2008-2809)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa]
Depends on: 230567
  Show dependency tree
Reported: 2008-01-04 22:28 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-06 00:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:28:11 UTC
CVE-2007-6590 (
  Mozilla 1.9 M8 and earlier, Mozilla Firefox 2, SeaMonkey 1.1.5, Netscape 9.0,
  and other Mozilla-based web browsers, when a user accepts an SSL server
  certificate on the basis of the CN domain name in the DN field, regard the
  certificate as also accepted for all domain names in subjectAltName:dNSName
  fields, which makes it easier for remote attackers to trick a user into
  accepting an invalid certificate for a spoofed web site.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:56:41 UTC


Upstream bug
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2008-01-05 11:57:42 UTC
Heh, this bug is from 2004...
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2008-07-18 17:21:11 UTC
This was fixed in
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 18:49:16 UTC
CVE-2007-6590 is now rejected, use CVE-2008-2809. 
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 00:43:02 UTC
GLSA 200808-03