Bugzilla – Bug 925394
VUL-0: CVE-2015-0812: MozillaFirefox: Add-on lightweight theme installation approval bypassed through MITM attack (MFSA 2015-32)
Last modified: 2015-04-08 09:05:32 UTC
Add-on lightweight theme installation approval bypassed through MITM attack Announced: March 31, 2015 Reporter: Armin Razmdjou Impact: Moderate Products: Firefox Fixed in: Firefox 37 Description Security researcher Armin Razmdjou discovered that a man-in-the-middle (MITM) attacker spoofing a Mozilla sub-domain could bypass user approval messages to install a Firefox lightweight theme. This was possible because add-on installations of the lightweight themes do not require the use of HTTP over SSL. Firefox extensions were not directly affected and still required user approval for installation. References: https://www.mozilla.org/en-US/security/advisories/mfsa2015-32/ https://bugzilla.mozilla.org/show_bug.cgi?id=1128126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0812
Update for openSUSE 13.1 and 13.2 is running, assigning openSUSE only bugs back to security team.
merge into parent *** This bug has been marked as a duplicate of bug 925368 ***
openSUSE-SU-2015:0677-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 925368,925392,925393,925394,925395,925396,925397,925398,925399,925400,925401,925402,926166 CVE References: CVE-2015-0799,CVE-2015-0801,CVE-2015-0802,CVE-2015-0803,CVE-2015-0804,CVE-2015-0805,CVE-2015-0806,CVE-2015-0807,CVE-2015-0808,CVE-2015-0811,CVE-2015-0812,CVE-2015-0813,CVE-2015-0814,CVE-2015-0815,CVE-2015-0816 Sources used: openSUSE 13.2 (src): MozillaFirefox-37.0.1-23.1, MozillaThunderbird-31.6.0-15.3, mozilla-nspr-4.10.8-6.1 openSUSE 13.1 (src): MozillaFirefox-37.0.1-68.1, MozillaThunderbird-31.6.0-70.50.2, mozilla-nspr-4.10.8-22.1