Bug#320538: weak authentication mechanism vulnerability (CAN-2005-2395)

Fri, 29 Jul 2005 20:08:29 -0700 

Package: mozilla-browser
Version: 2:1.7.8-1
Severity: important
Tags: security

I've tested mozilla to be vulnerable to CAN-2005-2395, although the
original advisory only mentioned firefox:

Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the
strongest authentication scheme available as required by RFC2617, which might
cause credentials to be sent in plaintext even if an encrypted channel is
available.

For details, see http://www.securityfocus.com/archive/1/405666

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages mozilla-browser depends on:
ii  debconf                   1.4.52         Debian configuration management sy
ii  libatk1.0-0               1.10.1-2       The ATK accessibility toolkit
ii  libc6                     2.3.2.ds1-22   GNU C Library: Shared libraries an
ii  libfontconfig1            2.3.2-1        generic font configuration library
ii  libfreetype6              2.1.10-1       FreeType 2 font engine, shared lib
ii  libgcc1                   1:4.0.1-2      GCC support library
ii  libglib2.0-0              2.6.5-1        The GLib library of C routines
ii  libgtk2.0-0               2.6.8-1        The GTK+ graphical user interface 
ii  libnspr4                  2:1.7.8-1      Netscape Portable Runtime Library
ii  libpango1.0-0             1.8.1-1        Layout and rendering of internatio
ii  libstdc++5                1:3.3.6-7      The GNU Standard C++ Library v3
ii  libx11-6                  6.8.2.dfsg.1-3 X Window System protocol client li
ii  libxext6                  6.8.2.dfsg.1-3 X Window System miscellaneous exte
ii  libxft2                   2.1.7-1        FreeType-based font drawing librar
ii  libxp6                    6.8.2.dfsg.1-3 X Window System printing extension
ii  libxrender1               1:0.9.0-2      X Rendering Extension client libra
ii  libxt6                    6.8.2.dfsg.1-3 X Toolkit Intrinsics
ii  psmisc                    21.6-1         Utilities that use the proc filesy
ii  xlibs                     6.8.2.dfsg.1-3 X Window System client libraries m
ii  zlib1g                    1:1.2.2-9      compression library - runtime

Versions of packages mozilla-browser recommends:
ii  mozilla-psm                   2:1.7.8-1  The Mozilla Internet application s
pn  myspell-en-us | myspell-dicti <none>     (no description available)

-- debconf information excluded

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply via email to