FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mozilla -- built-in CA certificates may be overridden

Affected packages
firefox < 0.9.3
linux-mozilla < 1.7.2
linux-mozilla-devel < 1.7.2
mozilla < 1.7.2,2
1.8.a,2 <= mozilla
mozilla-gtk1 < 1.7.2

Details

VuXML ID 8d823883-0ca9-11d9-8a8a-000c41e2cdad
Discovery 2004-06-29
Entry 2004-09-22

Under some situations, Mozilla will automatically import a certificate from an email message or web site. This behavior can be used as a denial-of-service attack: if the certificate has a distinguished name (DN) identical to one of the built-in Certificate Authorities (CAs), then Mozilla will no longer be able to certify sites with certificates issued from that CA.

References

CERT/CC Vulnerability Note 160360
CVE Name CVE-2004-0758
URL http://banquo.inf.ethz.ch:8080/
URL https://bugzilla.mozilla.org/show_bug.cgi?id=249004

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.