Bug 966438 - (CVE-2016-1949) VUL-0: CVE-2016-1949: MozillaFirefox: MFSA2016-13: Same-origin-policy violation using Service Workers with plugins
(CVE-2016-1949)
VUL-0: CVE-2016-1949: MozillaFirefox: MFSA2016-13: Same-origin-policy violati...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Petr Cerny
Security Team bot
https://smash.suse.de/issue/161849/
CVSSv2:RedHat:CVE-2016-1949:6.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-12 09:44 UTC by Alexander Bergmann
Modified: 2020-04-05 18:20 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-02-12 09:44:56 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/

Same-origin-policy violation using Service Workers with plugins

Announced: February 11, 2016
Reporter:  Jason Pang
Impact:    Critical
Products:  Firefox
Fixed in:  Firefox 44.0.2

Description:
Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

References:
NPAPI-initiated network requests can be intercepted by service workers breaking plugin origin expectations (CVE-2016-1949)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1306856
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1949
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1949.html
Comment 1 Swamp Workflow Management 2016-02-12 23:00:39 UTC
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2016-02-16 10:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (966438) was mentioned in
https://build.opensuse.org/request/show/359592 13.1 / MozillaFirefox
Comment 3 Andreas Stieger 2016-02-17 07:07:49 UTC
releasing update
Comment 4 Swamp Workflow Management 2016-02-17 11:11:45 UTC
openSUSE-SU-2016:0489-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 966438
CVE References: CVE-2016-1949
Sources used:
openSUSE Leap 42.1 (src):    MozillaFirefox-44.0.2-15.2
openSUSE 13.2 (src):    MozillaFirefox-44.0.2-62.1
Comment 5 Petr Cerny 2016-02-17 15:25:21 UTC
Firefox 38.x ESR isnot affected by this one (it is by bug 965810 though)
Comment 6 Swamp Workflow Management 2016-02-24 11:11:43 UTC
openSUSE-SU-2016:0553-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 966438
CVE References: CVE-2016-1949
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-44.0.2-106.1
Comment 7 Bernhard Wiedemann 2016-02-26 23:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (966438) was mentioned in
https://build.opensuse.org/request/show/362048 Factory / MozillaFirefox