Package: mozilla-firefox Version: 1.0+dfsg.1-5 Severity: grave Justification: user security hole
"Homograph attack" allows an attacker to create a link, with SSL 'lock' and everything which is indistinguishable from a trusted site. Advisory is here: http://www.shmoo.com/idn/homograph.txt Example page showing this attack for paypal.com is at: http://www.shmoo.com/idn/ and example for amazon.com is at: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3866526512 This last is a real shame. There is a simple workaround for mozilla and firefox: > You can disable IDN support in mozilla products by setting > 'network.enableIDN' to false. This should be done ASAP for debian packages to provide a 'secure by default' experience. The advisory indicates that mozilla is "working on finding a good long-term solution"; we should re-enable IDN only when that 'real' solution appears. This fix may upset international users, but they can locally re-enable IDN once they are advised of the vulnerability. For english-speaking users disabling IDN is obviously the right thing to do. --scott -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages mozilla-firefox depends on: ii debianutils 2.11.2 Miscellaneous utilities specific t ii fontconfig 2.2.3-4 generic font configuration library ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libfontconfig1 2.2.3-4 generic font configuration library ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib ii libgcc1 1:3.4.3-9 GCC support library ii libglib2.0-0 2.6.2-1 The GLib library of C routines ii libgtk2.0-0 2.6.2-2 The GTK+ graphical user interface ii libidl0 0.8.3-1 library for parsing CORBA IDL file ii libjpeg62 6b-9 The Independent JPEG Group's JPEG ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3 ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte ii libxft2 2.1.2-6 FreeType-based font drawing librar ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics ii psmisc 21.5-1 Utilities that use the proc filesy ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu ii zlib1g 1:1.2.2-4 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
