Bug#294274: marked as done (IDN support allows domain name spoofing)

Wed, 23 Mar 2005 11:19:12 -0800 

Your message dated Wed, 23 Mar 2005 13:32:24 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#294274: fixed in mozilla 2:1.7.6-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Feb 2005 21:06:40 +0000
>From [EMAIL PROTECTED] Tue Feb 08 13:06:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CycZ8-0000hQ-00; Tue, 08 Feb 2005 13:06:34 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
        by kitenet.net (Postfix) with ESMTP id B1E5E17F17
        for <[EMAIL PROTECTED]>; Tue,  8 Feb 2005 21:06:13 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
        id 904056E20E; Tue,  8 Feb 2005 16:08:03 -0500 (EST)
Date: Tue, 8 Feb 2005 16:08:03 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: IDN support allows domain name spoofing
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx"
Content-Disposition: inline
X-Reportbug-Version: 3.7.1
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mozilla-browser
Version: 2:1.7.5-1
Severity: normal
Tags: security

Epiphany and other browsers which support IDN are vulnerable to domain
spoofing via homograph characters in domain names. Please see
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031459.html
for details, and note that this is CAN-2005-0233.

This bug is filed upstream:
https://bugzilla.mozilla.org/show_bug.cgi?id=3D281381

Note: I have not marked this bug as releae critical, because it's not
clear to me if spoofing attacks qualify.

--=20
see shy jo

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCSozd8HHehbQuO8RAk7RAKCzl1gvBjoMAdIwOJYbFJCv/ajoYACdHAi9
ZRyMwPcMCttI8VKdnRPWPO0=
=APHS
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--

---------------------------------------
Received: (at 294274-close) by bugs.debian.org; 23 Mar 2005 18:55:09 +0000
>From [EMAIL PROTECTED] Wed Mar 23 10:55:08 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DEB0W-0004p1-00; Wed, 23 Mar 2005 10:55:08 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1DEAeW-00004v-00; Wed, 23 Mar 2005 13:32:24 -0500
From: Takuo KITAME <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#294274: fixed in mozilla 2:1.7.6-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 23 Mar 2005 13:32:24 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 9

Source: mozilla
Source-Version: 2:1.7.6-1

We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:

libnspr-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnspr-dev_1.7.6-1_i386.deb
libnspr4_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnspr4_1.7.6-1_i386.deb
libnss-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnss-dev_1.7.6-1_i386.deb
libnss3_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnss3_1.7.6-1_i386.deb
mozilla-browser_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-browser_1.7.6-1_i386.deb
mozilla-calendar_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-calendar_1.7.6-1_i386.deb
mozilla-chatzilla_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-chatzilla_1.7.6-1_i386.deb
mozilla-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-dev_1.7.6-1_i386.deb
mozilla-dom-inspector_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-dom-inspector_1.7.6-1_i386.deb
mozilla-js-debugger_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-js-debugger_1.7.6-1_i386.deb
mozilla-mailnews_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-mailnews_1.7.6-1_i386.deb
mozilla-psm_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-psm_1.7.6-1_i386.deb
mozilla_1.7.6-1.diff.gz
  to pool/main/m/mozilla/mozilla_1.7.6-1.diff.gz
mozilla_1.7.6-1.dsc
  to pool/main/m/mozilla/mozilla_1.7.6-1.dsc
mozilla_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla_1.7.6-1_i386.deb
mozilla_1.7.6.orig.tar.gz
  to pool/main/m/mozilla/mozilla_1.7.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Takuo KITAME <[EMAIL PROTECTED]> (supplier of updated mozilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 24 Mar 2005 01:34:42 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 
mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla 
mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Takuo KITAME <[EMAIL PROTECTED]>
Changed-By: Takuo KITAME <[EMAIL PROTECTED]>
Description: 
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4   - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3    - Network Security Service Libraries - runtime
 mozilla    - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla-calendar - Todo organizer,calendar and reminder,integrated with 
Mozilla suit
 mozilla-chatzilla - Mozilla Web Browser - irc client
 mozilla-dev - The Mozilla Internet application suite - development files
 mozilla-dom-inspector - A tool for inspecting the DOM of pages in Mozilla.
 mozilla-js-debugger - JavaScript debugger for use with Mozilla
 mozilla-mailnews - The Mozilla Internet application suite - mail and news 
support
 mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 215394 265928 270783 277504 279200 285611 290451 290863 293663 294274 
297216 297618 297619 297620 300090 300978
Changes: 
 mozilla (2:1.7.6-1) unstable; urgency=low
 .
   * New upstream release
   * fix some security issues.
     - CAN-2005-0233: IDN support allows domainname spooing (closes: #294274)
     - CAN-2005-0592: Heap-based bufer over flow (closes: #297619)
     - CAN-2004-1156: secunia window injection vulnerability (closes: #293663)
     - MFSA-2005-18: Mozilla Firefox and Mozilla Browser Out Of Memory Heap 
Corruption Design Error
     - CAN-2005-0593: SSL "secure site" indicator spoofing (closes: #297618)
     - CAN-2005-0588: does not restrict xsl:include and xsl:import tags in XSLT 
stylesheets to the current domain.
     - CAN-2005-0587: allows remote malicious web sites to overwrite arbitrary 
files by tricking the user into downloading a .LNK (link) file twice, which 
overwrites the file that was referenced in the first .LNK file.
     - CAN-2005-0586: allows remote malicious web sites to spoof the extensions 
of files to download via the Content-Disposition header
     - CAN-2005-0585: truncates long sub-domains or paths for display, which 
may allow remote malicious web sites to spoof legitimate sites and facilitate 
phishing attacks.
     - CAN-2005-0584: when displaying the HTTP Authentication dialog, do not 
change the focus to the tab that generated the prompt, which could facilitate 
spoofing and phishing attacks. (closes: #297620)
   * change binary name to mozilla-suite rom mozilla-VERSION (closes: 
#285611,#277504,#215394)
   * applied over the spot patch (closes: #290863)
   * added debian/po/it.po (closes: #279200)
   * added debian/po/nl.po (closes: #270783)
   * update debian/po/fi.po (closes: #265928)
   * remove run-mozilla.sh (closes: #297216, #300090)
   * update xprint dependency (closes: #300978)
   * use readlink(1) instead of perl's. (closes: #290451)
Files: 
 03f9b7cf7250d2bfa894fd264306b6ab 1111 web optional mozilla_1.7.6-1.dsc
 800f8d3877193a5d786d9ce4e3d1e400 30587697 web optional 
mozilla_1.7.6.orig.tar.gz
 15b76e937aa59308670c5afbaba7fd1f 303435 web optional mozilla_1.7.6-1.diff.gz
 70e9de0a98277fb0899227bebba665ab 1028 web optional mozilla_1.7.6-1_i386.deb
 97f99f437701e242220fa9de5a7c3bdf 10280282 web optional 
mozilla-browser_1.7.6-1_i386.deb
 8fc77a77186e461c480b8455c9272281 3343978 devel optional 
mozilla-dev_1.7.6-1_i386.deb
 0d6d79f4b70dd7d3cd58ad69829c4d91 1811052 mail optional 
mozilla-mailnews_1.7.6-1_i386.deb
 7881b2b481782364b1cb8a30cc454cf5 158318 net optional 
mozilla-chatzilla_1.7.6-1_i386.deb
 68e7c2c1c5ae79b1ae7bd0efbb75467e 192294 web optional 
mozilla-psm_1.7.6-1_i386.deb
 6b746476168989818eddd61e2d926acb 116194 web optional 
mozilla-dom-inspector_1.7.6-1_i386.deb
 f1925702d98df3ae51f28abe8f72c9b8 204124 devel optional 
mozilla-js-debugger_1.7.6-1_i386.deb
 5684fcb1e872312398fa3572157d8ffd 403270 misc optional 
mozilla-calendar_1.7.6-1_i386.deb
 db7397110795bc26f3ff049ad5cb0b26 129784 libs optional libnspr4_1.7.6-1_i386.deb
 4df0474571e6206ffeb96f1847857598 168060 libdevel optional 
libnspr-dev_1.7.6-1_i386.deb
 76106353331539e79d10e133498699d4 653648 libs optional libnss3_1.7.6-1_i386.deb
 3093fc70ca1754bf1506cc7c000b5106 184920 libdevel optional 
libnss-dev_1.7.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCQbO+U+WZW1FVMwoRAnxyAJ92vH1aYBcYDcyKE3UaKjHUGTT7fACfaXuH
hsFMT2ZhkOqrng0p3NOEBu0=
=zlfK
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to