Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204337 - Mozilla Browsers SSL subjectAltName:dNSName certificate spoofing (CVE-2008-2809)
Summary: Mozilla Browsers SSL subjectAltName:dNSName certificate spoofing (CVE-2008-2809)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: A4 [glsa]
Keywords:
Depends on: 230567
Blocks:
  Show dependency tree
 
Reported: 2008-01-04 22:28 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-06 00:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:28:11 UTC 
CVE-2007-6590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6590):
  Mozilla 1.9 M8 and earlier, Mozilla Firefox 2, SeaMonkey 1.1.5, Netscape 9.0,
  and other Mozilla-based web browsers, when a user accepts an SSL server
  certificate on the basis of the CN domain name in the DN field, regard the
  certificate as also accepted for all domain names in subjectAltName:dNSName
  fields, which makes it easier for remote attackers to trick a user into
  accepting an invalid certificate for a spoofed web site.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:56:41 UTC 
Reproducer
  http://test.eonis.net/

Advisory
  http://nils.toedtmann.net/pub/subjectAltName.txt

Upstream bug
  https://bugzilla.mozilla.org/show_bug.cgi?id=240261
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2008-01-05 11:57:42 UTC 
Heh, this bug is from 2004...
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2008-07-18 17:21:11 UTC 
This was fixed in 1.8.1.15
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 18:49:16 UTC 
CVE-2007-6590 is now rejected, use CVE-2008-2809.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 00:43:02 UTC 
GLSA 200808-03