- Package:
- iceweasel
- Source:
- firefox-esr
- Submitter:
- Joey Hess
- Date:
- 2022-02-28 17:27:12 UTC
- Severity:
- important
- Tags:
I've tested firefox to be vulnerable to CAN-2005-2395. Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication scheme available as required by RFC2617, which might cause credentials to be sent in plaintext even if an encrypted channel is available. For details, see http://www.securityfocus.com/archive/1/405666
forwarded 320539 https://bugzilla.mozilla.org/show_bug.cgi?id=281851 thanks * Joey Hess (joeyh@debian.org) wrote: Seems there's a patch now, but it hasn't been reviewed, and the mozilla developers don't seem tremendously concerned.-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
Dear Firefox/Iceweasel user, Thanks for your interest in Firefox/Iceweasel and the bug report you have contributed. Your bug report [0] was done for a version which isn't a part of debian anymore. Debian 4.0 (Etch) was released with version 2.0.0.3. Please reproduce your bug on an updated version of Iceweasel and confirm it still exists, or close it as irrelevant for recent versions. If you don't know or are not sure how to update or close your bug report, please contact me directly, and I'll help you. IMPORTANT: In any case, please provide version info, as we use it to determine the relevance of the bug. As this bug is quite old, I intend to close it if you don't update your bug report in the next 6 weeks. This is the time line for the old bugs cleanup: 1. October 1st - first notice. 2. October 15th - Second notice. 3. October 29th - Third notice. 4. November 12th - Closing the bug. Please help the Firefox/Iceweasel maintainer to help you (: [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320539
Dear Firefox/Iceweasel user, Thanks for your interest in Firefox/Iceweasel and the bug report you have contributed. Your bug report [0] was done for a version which isn't a part of debian anymore. Debian 4.0 (Etch) was released with version 2.0.0.3. Please reproduce your bug on an updated version of Iceweasel and confirm it still exists, or close it as irrelevant for recent versions. If you don't know or are not sure how to update or close your bug report, please contact me directly, and I'll help you. IMPORTANT: In any case, please provide version info, as we use it to determine the relevance of the bug. As this bug is quite old, I intend to close it if you don't update your bug report in the next 6 weeks. This is the time line for the old bugs cleanup: 1. October 1st - first notice. 2. October 15th - Second notice. 3. October 29th - Third notice. 4. November 12th - Closing the bug. Please help the Firefox/Iceweasel maintainer to help you (: [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320539
This is a security hole, it's not appropriate to close the bug without verifying it's been fixed. The bug is forwarded upstream, and open there.
This is a security hole, it's not appropriate to close the bug without verifying it's been fixed. The bug is forwarded upstream, and open there.