漏洞信息详情
Mozilla Browser Non-FQDN SSL证书欺骗漏洞
- CNNVD编号:CNNVD-200408-154
- 危害等级: 高危
- CVE编号: CVE-2004-0765
- 漏洞类型: 设计错误
- 发布时间: 2004-08-18
- 威胁类型: 远程
- 更新时间: 2005-10-20
- 厂 商: mozilla
- 漏洞来源: The individual res...
漏洞简介
Mozilla 1.7之前版本, Firefox 0.9之前版本, 以及Thunderbird 0.7之前版本中的cert_TestHostName函数存在漏洞。该漏洞在URI的主机名部分不是完全合格的域名称(FQDN)时检查证书的主机名部分,远程攻击者可以欺骗受信任的证书。
漏洞公告
Conectiva has released an advisory (CLA-2004:877) to address various issues including this issue in Mozilla. This advisory contains updated Mozilla packages (1.7.3) for Conectiva Linux 9 and 10. Please see the referenced advisory for more information. SCO has released an advisory SCOSA-2005.25 including updated packages to address this issue. Please see the referenced advisory for more information. Red Hat has released advisory RHSA-2004:421-17 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information. The vendor has released an upgrade dealing with this issue. Avaya has released an advisory that acknowlEdges this vulnerability for Avaya products. Fixes are not currently available; customers are advised to contact the vendor for further details regarding fix availability. Please see the referenced Avaya advisory at the following location for further details: http://support.avaya.com/jCMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple/CSS/jCMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=198527&PAGE=avaya.CSS.CSSLvl1Detail&executeTransaction=avaya.CSS.UsageUpdate() Slackware has released an advisory (SSA:2004-223-01) to address this issue. Please see the referenced advisory for more information. Mandrake Linux has released advisory MDKSA-2004:082 along with fixes addressing this issue. Please see the referenced advisory for further information. SGI has made available Patch 10095, correcting this vulnerability for systems running SGI Advanced Linux Environment 3: Patch 10095 is available from http://support.sgi.com/ and ftp://patches.sgi.com/support/free/security/patches/ProPack/3/ The individual RPMs from Patch 10095 are available from: ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS SuSE Linux has released advisory SUSE-SA:2004:036 along with fixes dealing with this issue. Please see the referenced advisory for more information. The Fedora Legacy project has released advisory FLSA-2004:2089 along with fixes to address multiple issues in RedHat Fedora Core 1, and RedHat Linux 7.3 and 9.0. Please see the referenced advisory for further information. Mozilla Thunderbird 0.6
- Mozilla Thunderbird 0.7.3 http://www.mozilla.org/products/thunderbird/
- Mozilla Thunderbird 0.7.3 http://www.mozilla.org/products/thunderbird/
- Mozilla Thunderbird 0.7.3 http://www.mozilla.org/products/thunderbird/
- Mozilla Thunderbird 0.7.3 http://www.mozilla.org/products/thunderbird/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- Mozilla Mozilla 1.7.2 http://www.mozilla.org/products/mozilla1.x/
- RedHat galeon-1.2.13-0.9.2.legacy.i386.rpmRedHat Linux 9 http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.13-0 .9.2.legacy.i386.rpm
- RedHat mozilla-1.4.3-0.9.1.legacy.i386.rpmRedHat Linux 9 http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.4.3-0 .9.1.legacy.i386.rpm
- RedHat mozilla-chat-1.4.3-0.9.1.legacy.i386.rpmRedHat Linux 9 http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1. 4.3-0.9.1.legacy.i386.rpm
- RedHat mozilla-devel-1.4.3-0.9.1.legacy.i386.rpmRedHat Linux 9 http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1 .4.3-0.9.1.legacy.i386.rpm
-
RedHat mozilla-dom-inspector-1.4.3-0.9.1.legacy.i386.rpmRedHat Linux 9
参考网址
来源: REDHAT 名称: RHSA-2004:421 链接:http://www.redhat.com/support/errata/RHSA-2004-421.HTML 来源: bugzilla.mozilla.org 链接:http://bugzilla.mozilla.org/show_bug.cgi?id=234058 来源: XF 名称: mozilla-certtesthostname-certificate-spoof(16868) 链接:http://xforce.iss.net/xforce/xfdb/16868 来源: SUSE 名称: SUSE-SA:2004:036 链接:http://www.novell.com/linux/security/advisories/2004_36_mozilla.HTML 来源: www.mozilla.org 链接:http://www.mozilla.org/projects/security/known-vulnerabilities.HTML#mozilla1.7 来源: OVAL 名称: oval:org.mitre.oval:def:11162 链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11162 来源: FEDORA 名称: FLSA:2089 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109900315219363&w=2
受影响实体
- Mozilla Thunderbird:0.7
- Mozilla Firefox:0.9
- Mozilla Mozilla:1.7
补丁
暂无
评论