Bug 926166 - (CVE-2015-0799) VUL-0: CVE-2015-0799: MozillaFirefox: Certificate verification bypass through the HTTP/2 Alt-Svc header (MFSA 2015-44)
(CVE-2015-0799)
VUL-0: CVE-2015-0799: MozillaFirefox: Certificate verification bypass through...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/115541/
:
Depends on:
Blocks: 925368
  Show dependency treegraph
 
Reported: 2015-04-07 09:05 UTC by Andreas Stieger
Modified: 2020-04-05 18:19 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-07 09:05:25 UTC
Certificate verification bypass through the HTTP/2 Alt-Svc header

Announced:     April 3, 2015
Reporter:     Muneaki Nishimura
Impact:     Critical
Products:     Firefox
Fixed in: Firefox 37.0.1

Description:

Security researcher Muneaki Nishimura discovered a flaw in the Mozilla's HTTP Alternative Services implementation. If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.


References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/
https://bugzilla.mozilla.org/show_bug.cgi?id=1148328
https://bugzilla.redhat.com/show_bug.cgi?id=1208731
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0799
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0799.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0799



I see that mozilla:Factory MozillaFirefox was just updated.
ESR is not affected.
For openSUSE we have an incident running, but I would add this fix as well.
Comment 1 Bernhard Wiedemann 2015-04-07 11:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (926166) was mentioned in
https://build.opensuse.org/request/show/294722 Factory / MozillaFirefox
https://build.opensuse.org/request/show/294723 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/294724 13.1 / MozillaFirefox
Comment 2 Andreas Stieger 2015-04-07 11:02:29 UTC
> https://build.opensuse.org/request/show/294722 Factory / MozillaFirefox
> https://build.opensuse.org/request/show/294723 13.2 / MozillaFirefox
> https://build.opensuse.org/request/show/294724 13.1 / MozillaFirefox

Received with thanks, handling.
Comment 3 Andreas Stieger 2015-04-07 11:11:51 UTC
As this is an upstream regression (in 37.0) fixed in 37.0.1 it will be noted in the patch information as follows:

[[[
The following vulnerability was fixed in functionality that was not released as an update to openSUSE:

* Certificate verification could be bypassed through the HTTP/2 Alt-Svc header (MFSA 2015-44/CVE-2015-0799 bmo#1148328 bnc#926166)

The functionality added in 37.0 and thus removed in 37.0.1 was:

* Opportunistically encrypt HTTP traffic where the server supports
  HTTP/2 AltSvc
]]]
Comment 4 Andreas Stieger 2015-04-08 08:08:40 UTC
released
Comment 5 Swamp Workflow Management 2015-04-08 09:06:59 UTC
openSUSE-SU-2015:0677-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 925368,925392,925393,925394,925395,925396,925397,925398,925399,925400,925401,925402,926166
CVE References: CVE-2015-0799,CVE-2015-0801,CVE-2015-0802,CVE-2015-0803,CVE-2015-0804,CVE-2015-0805,CVE-2015-0806,CVE-2015-0807,CVE-2015-0808,CVE-2015-0811,CVE-2015-0812,CVE-2015-0813,CVE-2015-0814,CVE-2015-0815,CVE-2015-0816
Sources used:
openSUSE 13.2 (src):    MozillaFirefox-37.0.1-23.1, MozillaThunderbird-31.6.0-15.3, mozilla-nspr-4.10.8-6.1
openSUSE 13.1 (src):    MozillaFirefox-37.0.1-68.1, MozillaThunderbird-31.6.0-70.50.2, mozilla-nspr-4.10.8-22.1