1:24 p.m.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253
Summary: CVE-2007-0981: seamonkey cookie setting / same-domain
bypass vulnerability
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: seamonkey
AssignedTo: kengert(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981
"Mozilla based browsers allows remote attackers to bypass the same origin
policy, steal cookies, and conduct other attacks by writing a URI with a null
byte to the hostname (location.hostname) DOM property, due to interactions with
DNS resolver code."
Seamonkey seems vulnerable. See also
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
9:17 p.m.
New subject: Seamonkey issues for FC5? re: Bug# 229253, CVE-2007-0981: seamonkey cookie ... vulnerability
Regarding this new security issue in Bugzilla, #229253, at
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253>
This same issue ought to also exist in the FC5 seamonkey, which has been
created and maintained as a Fedora Core Mozilla replacement, replacing a
former seamonkey package in Fedora Extras. But now that seamonkey is in
core, I don't see how we can file a bug for CVE-2007-0981 against FC5's
Seamonkey? There exists no "seamonkey" component in Bugzilla for Fedora
Core 5. Martin Stransky appears to be the fellow who has taken on work
regarding Seamonkey for FC5, as the Mozilla replacement.
Who should address fixing up Bugzilla's package database, so this so a bug
can be properly filed on the FC5 version of Seamonkey for this
CVE-2007-0981 issue and future issues, and an errata issued? The bug on
"seamonkey missing as Fedora Core component," Bug #222811, has been open
for a month with no response. Who properly owns it?
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222811>;.
Thanks!
Regards,
David Eisenstein
Summary: CVE-2007-0981: seamonkey cookie setting /
same-domain
bypass vulnerability
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: seamonkey
AssignedTo: kengert(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981
"Mozilla based browsers allows remote attackers to bypass the same origin
policy, steal cookies, and conduct other attacks by writing a URI with a null
byte to the hostname (location.hostname) DOM property, due to interactions with
DNS resolver code."
Seamonkey seems vulnerable. See also
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
12:30 p.m.
New subject: Seamonkey issues for FC5? re: Bug# 229253, CVE-2007-0981: seamonkey cookie ... vulnerability
Who should address fixing up Bugzilla's package database, so this so a bug
can be properly filed on the FC5 version of Seamonkey for this
CVE-2007-0981 issue and future issues, and an errata issued? The bug on
"seamonkey missing as Fedora Core component," Bug #222811, has been open
for a month with no response. Who properly owns it?
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222811>;.
Sorry for the delay in responding for this, I'm currently terribly busy with
many things.
I just mailed our bugzilla maintainer with the request to add this
component. It should be added in the next few days.
Thanks.
--
JB
6:26 p.m.
New subject: [Bug 229253] CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253
kengert(a)redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution| |CURRENTRELEASE
Fixed In Version| |seamonkey-1.0.8-0.6.2.fc6
------- Additional Comments From kengert(a)redhat.com 2007-04-17 19:26 EST -------
The SeaMonkey version in Fedora Extras 6 is 1.0.8.
SeaMonkey 1.0.8 is based on Mozilla technology version 1.8.0.10.
The underlying bug at mozilla.org has been marked as fixed and verified 1.8.0.10
So I conclude this bug has been fixed in seamonkey-1.0.8-0.6.2.fc6 since 2007-03-01.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
6218
days inactive
6275
days old
security@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
David Eisenstein -
Josh Bressers -
Red Hat Bugzilla