Bug#576466: iceweasel: CVE-2009-0777 address bar spoofing

Moritz Muehlenhoff jmm at inutil.org
Thu Apr 8 22:00:35 UTC 2010


On Mon, Apr 05, 2010 at 09:39:06AM +0200, Mike Hommey wrote:
> On Sun, Apr 04, 2010 at 05:52:13PM -0400, Michael Gilbert wrote:
> > package: iceweasel
> > severity: important
> > version: 3.0.6-3
> > tags: security
> > 
> > hi, iceweasel in lenny is still vulnerable to an address bar spoofing
> > vulnerability, that was fixed in an MFSA a while back.  this is
> > probably not worth fixing on its own, but if there are other pending
> > security backports, it would be useful to fix it.  see:
> > 
> > https://bugzilla.mozilla.org/show_bug.cgi?id=452979
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0777
> 
> Damn.
> 
> Here is what I wrote in October, with Moritz's answer following:
> 
> >> Now, wondering on http://security-tracker.debian.org/ I saw that I
> >> forgot CVE-2009-0777 :( It was fixed on 3.0.7-1 in unstable, but maybe
> >> it was decided to keep it for later, in which case we just forgot it,
> >> later... a bit like #512111.
> >>
> >> Maybe we should do an iceweasel security update for this one... (it's
> >> a
> >> browser issue, not a xulrunner one)
> >
> > Hmm, we indeed missed it. But since it's a low severity issue let's
> > postpone
> > it for the next round of issues affecting Iceweasel.
> 
> Unfortunately, there hasn't been a next round of issues affecting
> Iceweasel only.

I don't think anything has really changed, if there's a more severe issue
we can fix it along, but we don't need a iceweasel update on it's own.

Cheers,
        Moritz





More information about the pkg-mozilla-maintainers mailing list