|
|
Subscribe / Log in / New account

mozilla: certificate verification bypass

Package(s):firefox thunderbird seamonkey CVE #(s):CVE-2015-0799
Created:April 6, 2015 Updated:September 4, 2015
Description: From the Arch Linux advisory:

Security researcher Muneaki Nishimura discovered a flaw in the Mozilla's HTTP Alternative Services implementation. If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.

A remote attacker in position of man-in-the-middle can impersonate another site, bypassing certificate validation.

Alerts:
Gentoo 201512-10 firefox 2015-12-30
Slackware SSA:2015-246-01 seamonkey 2015-09-03
Mageia MGASA-2015-0342 iceape 2015-09-08
Fedora FEDORA-2015-8179 thunderbird 2015-05-14
Fedora FEDORA-2015-6621 xulrunner 2015-05-11
Fedora FEDORA-2015-5398 thunderbird 2015-05-11
Fedora FEDORA-2015-6621 firefox 2015-05-11
openSUSE openSUSE-SU-2015:0677-1 firefox, thunderbird 2015-04-08
Ubuntu USN-2557-1 firefox 2015-04-07
Arch Linux ASA-201504-4 firefox 2015-04-04
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds