FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mozilla -- hostname spoofing bug

Affected packages
thunderbird < 0.7
de-linux-mozillafirebird < 0.9.2
el-linux-mozillafirebird < 0.9.2
firefox < 0.9.2
ja-linux-mozillafirebird-gtk1 < 0.9.2
ja-mozillafirebird-gtk2 < 0.9.2
linux-mozillafirebird < 0.9.2
ru-linux-mozillafirebird < 0.9.2
zhCN-linux-mozillafirebird < 0.9.2
zhTW-linux-mozillafirebird < 0.9.2
de-netscape7 <= 7.2
fr-netscape7 <= 7.2
ja-netscape7 <= 7.2
netscape7 <= 7.2
pt_BR-netscape7 <= 7.2
linux-mozilla < 1.7
linux-mozilla-devel < 1.7
mozilla-gtk1 < 1.7
mozilla < 1.7,2
0 <= de-linux-netscape
0 <= fr-linux-netscape
0 <= ja-linux-netscape
0 <= linux-netscape
0 <= linux-phoenix
0 <= mozilla+ipv6
0 <= mozilla-embedded
0 <= mozilla-firebird
0 <= mozilla-gtk
0 <= mozilla-gtk2
0 <= mozilla-thunderbird
0 <= phoenix

Details

VuXML ID 5360a659-131c-11d9-bc4a-000c41e2cdad
Discovery 2004-02-12
Entry 2004-09-30

When processing URIs that contain an unqualified host name-- specifically, a domain name of only one component-- Mozilla will perform matching against the first component of the domain name in SSL certificates. In other words, in some situations, a certificate issued to "www.example.com" will be accepted as matching "www".

References

CVE Name CVE-2004-0765
URL http://bugzilla.mozilla.org/show_bug.cgi?id=234058