Bug#320539: weak authentication mechanism vulnerability (CAN-2005-2395)

Fri, 29 Jul 2005 20:08:37 -0700 

Package: mozilla-firefox
Version: 1.0.5-1
Severity: important

I've tested firefox to be vulnerable to CAN-2005-2395.

Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the 
strongest authentication scheme available as required by RFC2617, which
might cause credentials to be sent in plaintext even if an encrypted channel
is available.

For details, see http://www.securityfocus.com/archive/1/405666

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages mozilla-firefox depends on:
ii  debianutils               2.14.1         Miscellaneous utilities specific t
ii  fontconfig                2.3.2-1        generic font configuration library
ii  libatk1.0-0               1.10.1-2       The ATK accessibility toolkit
ii  libc6                     2.3.2.ds1-22   GNU C Library: Shared libraries an
ii  libfontconfig1            2.3.2-1        generic font configuration library
ii  libfreetype6              2.1.10-1       FreeType 2 font engine, shared lib
ii  libgcc1                   1:4.0.1-2      GCC support library
ii  libglib2.0-0              2.6.5-1        The GLib library of C routines
ii  libgtk2.0-0               2.6.8-1        The GTK+ graphical user interface 
ii  libidl0                   0.8.5-1        library for parsing CORBA IDL file
ii  libjpeg62                 6b-10          The Independent JPEG Group's JPEG 
ii  libkrb53                  1.3.6-4        MIT Kerberos runtime libraries
ii  libpango1.0-0             1.8.1-1        Layout and rendering of internatio
ii  libpng12-0                1.2.8rel-1     PNG library - runtime
ii  libstdc++6                4.0.1-2        The GNU Standard C++ Library v3
ii  libx11-6                  6.8.2.dfsg.1-3 X Window System protocol client li
ii  libxext6                  6.8.2.dfsg.1-3 X Window System miscellaneous exte
ii  libxft2                   2.1.7-1        FreeType-based font drawing librar
ii  libxp6                    6.8.2.dfsg.1-3 X Window System printing extension
ii  libxt6                    6.8.2.dfsg.1-3 X Toolkit Intrinsics
ii  psmisc                    21.6-1         Utilities that use the proc filesy
ii  xlibs                     6.8.2.dfsg.1-3 X Window System client libraries m
ii  zlib1g                    1:1.2.2-9      compression library - runtime

mozilla-firefox recommends no packages.

-- no debconf information

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply via email to