Package: firefox-esr Version: 45.9.0esr-1 Severity: grave Tags: security Justification: user security hole
I've had the network.enableIDN preference[1] set to false for many years (as shown in about:config) in order to avoid some phishing attacks (and I had always relied on it). I've just noticed that it no longer has any effect! For instance, enter https://www.аррӏе.com/ in the location bar. I don't get any error and URL in the location bar looks like the Apple one. But it is not the Apple web site. Note: I've learned at the same time from [2] that there is a new preference network.IDN_show_punycode, but it is set to false by default, and there hasn't been any announce in the past upgrades of the Debian package. In any case, network.enableIDN should still have an effect when set to false. [1] http://kb.mozillazine.org/Network.enableIDN [2] http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html -- Package-specific info: -- Extensions information Name: -Global Styles- userstyle Status: enabled Name: Adblock Plus Location: ${PROFILE_EXTENSIONS}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi Status: enabled Name: AlloCiné userstyle Status: enabled Name: allocine-imdb greasemonkey-user-script Status: enabled Name: cac-imdb greasemonkey-user-script Status: enabled Name: Cinémathèque Française userstyle Status: enabled Name: Classic Theme Restorer Location: ${PROFILE_EXTENSIONS}/classicthemeresto...@arist2noia4dev.xpi Status: enabled Name: Combine Stop/Reload buttons userstyle Status: enabled Name: Default theme Location: /usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi Package: firefox-esr Status: enabled Name: Different cursor for links that open in new windows userstyle Status: enabled Name: Disable autocomplete userstyle Status: user-disabled Name: Disable marquee userstyle Status: user-disabled Name: Filmsite.org userstyle Status: enabled Name: Firebug Location: ${PROFILE_EXTENSIONS}/fire...@software.joehewitt.com.xpi Status: enabled Name: Firefox Hello Beta Location: ${PROFILE_EXTENSIONS}/l...@mozilla.org.xpi Status: enabled Name: Flagfox Location: ${PROFILE_EXTENSIONS}/{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi Status: enabled Name: Font Finder Location: ${PROFILE_EXTENSIONS}/fontfin...@bendodson.com.xpi Status: enabled Name: FxIF Location: ${PROFILE_EXTENSIONS}/{11483926-db67-4190-91b1-ef20fcec5f33}.xpi Status: enabled Name: GLPI - assistance.ens-lyon.fr userstyle Status: enabled Name: Google Search userstyle Status: enabled Name: Greasemonkey Location: ${PROFILE_EXTENSIONS}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi Status: enabled Name: gtranslate Location: ${PROFILE_EXTENSIONS}/{aff87fa2-a58e-4edd-b852-0a20203c1e17}.xpi Status: enabled Name: HeadingsMap Location: ${PROFILE_EXTENSIONS}/headi...@niquelheadings.net.xpi Status: enabled Name: IMDb userstyle Status: enabled Name: itt-datetimes greasemonkey-user-script Status: enabled Name: Link Widgets Location: ${PROFILE_EXTENSIONS}/linkwid...@clav.mozdev.org Status: enabled Name: Live HTTP headers Location: ${PROFILE_EXTENSIONS}/{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} Status: enabled Name: Move tabbar to the bottom userstyle Status: user-disabled Name: Move tabbar to the left userstyle Status: user-disabled Name: Move tabbar to the right userstyle Status: user-disabled Name: Multiple row bookmark toolbar userstyle Status: user-disabled Name: Nerim userstyle Status: enabled Name: Open in Browser Location: ${PROFILE_EXTENSIONS}/openinbrow...@www.spasche.net.xpi Status: enabled Name: PeopleForCinema userstyle Status: enabled Name: QuickWiki Location: ${PROFILE_EXTENSIONS}/{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}.xpi Status: enabled Name: Slashdot.org - Remove ads userstyle Status: enabled Name: SourceForge font size in comments userstyle Status: enabled Name: Stylish Location: ${PROFILE_EXTENSIONS}/{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi Status: enabled Name: Tab Mix Plus Location: ${PROFILE_EXTENSIONS}/{dc572301-7619-498c-a57d-39143191b318}.xpi Status: enabled Name: twitter-times greasemonkey-user-script Status: enabled Name: us-to-iso8601 greasemonkey-user-script Status: user-disabled Name: Web Developer Location: ${PROFILE_EXTENSIONS}/{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi Status: enabled Name: Wikipedia font size userstyle Status: enabled Name: X-Ray Location: ${PROFILE_EXTENSIONS}/{3f1182ea-3243-4d32-8826-71fb1cc9c328}.xpi Status: enabled Name: youtube-html5 greasemonkey-user-script Status: enabled -- Plugins information -- Addons package information ii firefox-esr 45.9.0esr-1 amd64 Mozilla Firefox web browser - Ext -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/12 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firefox-esr depends on: ii debianutils 4.8.1.1 ii fontconfig 2.11.0-6.7+b1 ii libasound2 1.1.3-5 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-10 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.18-1 ii libdbus-glib-1-2 0.108-2 ii libevent-2.0-5 2.0.21-stable-3 ii libffi6 3.2.1-6 ii libfontconfig1 2.11.0-6.7+b1 ii libfreetype6 2.6.3-3.1 ii libgcc1 1:6.3.0-14 ii libgdk-pixbuf2.0-0 2.36.5-2 ii libglib2.0-0 2.50.3-2 ii libgtk2.0-0 2.24.31-2 ii libhunspell-1.4-0 1.4.1-2+b2 ii libnspr4 2:4.12-6 ii libnss3 2:3.26.2-1 ii libpango-1.0-0 1.40.5-1 ii libsqlite3-0 3.16.2-3 ii libstartup-notification0 0.12-4+b2 ii libstdc++6 6.3.0-14 ii libvpx4 1.6.1-3 ii libx11-6 2:1.6.4-3 ii libxcomposite1 1:0.4.4-2 ii libxdamage1 1:1.1.4-2+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1 ii procps 2:3.3.12-3 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages firefox-esr recommends: ii gstreamer1.0-libav 1.10.4-1 ii gstreamer1.0-plugins-good 1.10.4-1 Versions of packages firefox-esr suggests: ii fonts-lmodern 2.004.5-3 ii fonts-stix [otf-stix] 1.1.1-4 ii libcanberra0 0.30-3 ii libgnomeui-0 2.24.5-3.1 ii libgssapi-krb5-2 1.15-1 pn mozplugger <none> -- no debconf information
