#320539 weak authentication mechanism vulnerability (CAN-2005-2395)

Package:
iceweasel
Source:
firefox-esr
Submitter:
Joey Hess
Date:
2022-02-28 17:27:12 UTC
Severity:
important
Tags:
#320539#5
Date:
2005-07-30 02:59:22 UTC
From:
To:
I've tested firefox to be vulnerable to CAN-2005-2395.

Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the
strongest authentication scheme available as required by RFC2617, which
might cause credentials to be sent in plaintext even if an encrypted channel
is available.

For details, see http://www.securityfocus.com/archive/1/405666

#320539#10
Date:
2005-09-18 22:16:07 UTC
From:
To:
forwarded 320539 https://bugzilla.mozilla.org/show_bug.cgi?id=281851
thanks

* Joey Hess (joeyh@debian.org) wrote:

Seems there's a patch now, but it hasn't been reviewed, and the
mozilla developers don't seem tremendously concerned.
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
#320539#21
Date:
2007-10-01 12:17:19 UTC
From:
To:
Dear Firefox/Iceweasel user,

Thanks for your interest in Firefox/Iceweasel and the bug report you have contributed.

Your bug report [0] was done for a version which isn't a part of debian anymore. Debian 4.0 (Etch) was released with version 2.0.0.3.

Please reproduce your bug on an updated version of Iceweasel and confirm it
still exists, or close it as irrelevant for recent versions.

If you don't know or are not sure how to update or close your bug report,
please contact me directly, and I'll help you.

IMPORTANT: In any case, please provide version info, as we use it to determine
the relevance of the bug.

As this bug is quite old, I intend to close it if you don't update your bug
report in the next 6 weeks.

This is the time line for the old bugs cleanup:
1. October 1st - first notice.
2. October 15th - Second notice.
3. October 29th - Third notice.
4. November 12th - Closing the bug.

Please help the Firefox/Iceweasel maintainer to help you (:

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320539

#320539#24
Date:
2007-10-01 12:17:19 UTC
From:
To:
Dear Firefox/Iceweasel user,

Thanks for your interest in Firefox/Iceweasel and the bug report you have contributed.

Your bug report [0] was done for a version which isn't a part of debian anymore. Debian 4.0 (Etch) was released with version 2.0.0.3.

Please reproduce your bug on an updated version of Iceweasel and confirm it
still exists, or close it as irrelevant for recent versions.

If you don't know or are not sure how to update or close your bug report,
please contact me directly, and I'll help you.

IMPORTANT: In any case, please provide version info, as we use it to determine
the relevance of the bug.

As this bug is quite old, I intend to close it if you don't update your bug
report in the next 6 weeks.

This is the time line for the old bugs cleanup:
1. October 1st - first notice.
2. October 15th - Second notice.
3. October 29th - Third notice.
4. November 12th - Closing the bug.

Please help the Firefox/Iceweasel maintainer to help you (:

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320539

#320539#29
Date:
2007-10-01 17:45:53 UTC
From:
To:
This is a security hole, it's not appropriate to close the bug without
verifying it's been fixed.

The bug is forwarded upstream, and open there.

#320539#32
Date:
2007-10-01 17:45:53 UTC
From:
To:
This is a security hole, it's not appropriate to close the bug without
verifying it's been fixed.

The bug is forwarded upstream, and open there.