1
Candidate: CVE-2009-2061
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2061
6
Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response before
7
a successful SSL handshake, which allows man-in-the-middle attackers to
8
execute arbitrary web script, in an https site's context, by modifying this
9
CONNECT response to specify a 302 redirect to an arbitrary https web site.
12
jdstrand> https://www.paypal.com/ is the PoC site, but https://wiki.ubuntu.com
13
seems to be a valid trigger as well (both set a cookie which is sent on
14
connect). https://www.verisign.com will trigger the alert() in the PoC, but
15
doesn't contain the cookie
16
jdstrand> firefox-3.0 (3.0.9) is confirmed to be affected
17
jdstrand> mozilla is silently fixing this in 3.0.10, but it won't be public
19
jdstrand> konqueror 3 (kdelibs) in dapper is confirmed to be affected
20
jdstrand> konqueror 4 (kde4libs) in jaunty does not seem to be affected
21
(displays it's own connection refused message for all 4xx codes)
22
jdstrand> webkit on jaunty does not seem affected, though all of its consumers
23
are rather flaky (midori, python-webkit/webbrowser.py, webkit/GtkLauncher,
24
kazehakase-webkit). None of these would work with paypal or wiki.u.c, but
25
would with https://www.verisign.com/. At verisign, firefox would display
26
the PoC alert, but without the cookie. webkit, midori and python-webkit would
27
not display the alert at all (kazehakase crashes on any page load). Other
28
consumers are devhelp and anjuta, but I didn't see how to get an external
29
page to load. At any rate, webkit is a tentative 'not-affected'. Will get
30
more feedback from Debian maintainer.
31
jdstrand> qt4-x11 in jaunty does not seem to be affected. arora is its
32
browser consumer and it displays its own 'HTTP request failed' message for
34
jdstrand> also checked epiphany-webkit on 8.10. The browser can go to paypal,
35
but is not vulnerable (does not display the alert at all for all 4xx codes)
37
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
43
upstream_firefox: needs-triage
44
dapper_firefox: ignored (reached end-of-life)
45
hardy_firefox: ignored (uses system xulrunner)
49
lucid_firefox: not-affected
50
maverick_firefox: not-affected
51
natty_firefox: not-affected
52
devel_firefox: not-affected
55
Patches_xulrunner-1.9:
56
upstream_xulrunner-1.9: released (1.9.0.11)
57
dapper_xulrunner-1.9: DNE
58
hardy_xulrunner-1.9: released (1.9.0.11+build2+nobinonly-0ubuntu0.8.04.1)
59
intrepid_xulrunner-1.9: released (1.9.0.11+build2+nobinonly-0ubuntu0.8.10.2)
60
jaunty_xulrunner-1.9: released (1.9.0.11+build2+nobinonly-0ubuntu0.9.04.1)
61
karmic_xulrunner-1.9: DNE
62
lucid_xulrunner-1.9: DNE
63
maverick_xulrunner-1.9: DNE
64
natty_xulrunner-1.9: DNE
65
devel_xulrunner-1.9: DNE
67
Patches_xulrunner-1.9.1:
68
upstream_xulrunner-1.9.1: released (1.9.1rc2)
69
dapper_xulrunner-1.9.1: DNE
70
hardy_xulrunner-1.9.1: DNE
71
intrepid_xulrunner-1.9.1: DNE
72
jaunty_xulrunner-1.9.1: released (1.9.1+nobinonly-0ubuntu0.9.04.1)
73
karmic_xulrunner-1.9.1: released (1.9.1~rc2+nobinonly-0ubuntu1)
74
lucid_xulrunner-1.9.1: DNE
75
maverick_xulrunner-1.9.1: DNE
76
natty_xulrunner-1.9.1: DNE
77
devel_xulrunner-1.9.1: DNE
81
upstream_seamonkey: needs-triage
83
hardy_seamonkey: released (1.1.17+nobinonly-0ubuntu0.8.04.1)
84
intrepid_seamonkey: released (1.1.17+nobinonly-0ubuntu0.8.10.1)
85
jaunty_seamonkey: released (1.1.17+nobinonly-0ubuntu0.9.04.1)
86
karmic_seamonkey: released (1.1.17+nobinonly-0ubuntu1)
87
lucid_seamonkey: released (1.1.17+nobinonly-0ubuntu1)
88
maverick_seamonkey: released (1.1.17+nobinonly-0ubuntu1)
89
natty_seamonkey: released (1.1.17+nobinonly-0ubuntu1)
90
devel_seamonkey: released (1.1.17+nobinonly-0ubuntu1)
94
upstream_webkit: needs-triage
96
hardy_webkit: ignored (reached end-of-life)
97
intrepid_webkit: needs-triage (reached end-of-life)
98
jaunty_webkit: not-affected
99
karmic_webkit: not-affected
100
lucid_webkit: not-affected
101
maverick_webkit: not-affected
102
natty_webkit: not-affected
103
devel_webkit: not-affected
106
upstream_kdelibs: needs-triage
107
dapper_kdelibs: ignored (reached end-of-life)
108
hardy_kdelibs: ignored (reached end-of-life)
109
intrepid_kdelibs: needs-triage (reached end-of-life)
110
jaunty_kdelibs: not-affected
111
karmic_kdelibs: not-affected
112
lucid_kdelibs: not-affected
113
maverick_kdelibs: not-affected
114
natty_kdelibs: not-affected
115
devel_kdelibs: not-affected
118
upstream_kde4libs: needs-triage
120
hardy_kde4libs: ignored (reached end-of-life)
121
intrepid_kde4libs: needs-triage (reached end-of-life)
122
jaunty_kde4libs: not-affected
123
karmic_kde4libs: not-affected
124
lucid_kde4libs: not-affected
125
maverick_kde4libs: not-affected
126
natty_kde4libs: not-affected
127
devel_kde4libs: not-affected
130
upstream_qt4-x11: needs-triage
131
dapper_qt4-x11: not-affected (code does not exist)
132
hardy_qt4-x11: not-affected (code does not exist)
133
intrepid_qt4-x11: needs-triage (reached end-of-life)
134
jaunty_qt4-x11: not-affected
135
karmic_qt4-x11: not-affected
136
lucid_qt4-x11: not-affected
137
maverick_qt4-x11: not-affected
138
natty_qt4-x11: not-affected
139
devel_qt4-x11: not-affected