Regarding this new security issue in Bugzilla, #229253, at
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253>
This same issue ought to also exist in the FC5 seamonkey, which has been
created and maintained as a Fedora Core Mozilla replacement, replacing a
former seamonkey package in Fedora Extras. But now that seamonkey is in
core, I don't see how we can file a bug for CVE-2007-0981 against FC5's
Seamonkey? There exists no "seamonkey" component in Bugzilla for Fedora
Core 5. Martin Stransky appears to be the fellow who has taken on work
regarding Seamonkey for FC5, as the Mozilla replacement.
Who should address fixing up Bugzilla's package database, so this so a bug
can be properly filed on the FC5 version of Seamonkey for this
CVE-2007-0981 issue and future issues, and an errata issued? The bug on
"seamonkey missing as Fedora Core component," Bug #222811, has been open
for a month with no response. Who properly owns it?
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222811>.
Thanks!
Regards,
David Eisenstein
Summary: CVE-2007-0981: seamonkey cookie setting / same-domain
bypass vulnerability
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: seamonkey
AssignedTo: kengert@xxxxxxxxxx
ReportedBy: ville.skytta@xxxxxx
QAContact: extras-qa@xxxxxxxxxxxxxxxxx
CC: fedora-security-list@xxxxxxxxxx
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981
"Mozilla based browsers allows remote attackers to bypass the same origin
policy, steal cookies, and conduct other attacks by writing a URI with a null
byte to the hostname (location.hostname) DOM property, due to interactions with
DNS resolver code."
Seamonkey seems vulnerable. See also
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
