• Search:

The Chief Officers' Network - your business advantage / Industries / InfoTech & Comms / IT Security / IT Security: Serious issues with Firefox and OpenSSH/OpenSSL, says US-CERT

The issues are:

Mozilla Firefox:

1. The WebSockets implementation in Mozilla Firefox 4 through 4.0 Beta 7 does not properly perform proxy upgrade negotiation, which has unspecified impact and remote attack vectors, related to an "inherent problem" with the WebSocket specification.

2. Use-after-free vulnerability in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows remote attackers to execute arbitrary code via vectors involving a change to an nsDOMAttribute node.

The current stable version of Firefox is 3.6.13 and can be downloaded from http://www.mozilla.com/firefox/

OpenSSH

OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.

The current version of OpenSSH is 5.6. See http://www.openssh.com/

OpenSSL

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

The current version of OpenSSL is 1.1.0b. See http://www.openssl.org/

Bookmark and Share

Tip a friend

Download PDF Download PDF version of this page





loading