forwarded 320539 https://bugzilla.mozilla.org/show_bug.cgi?id=281851 thanks
* Joey Hess ([EMAIL PROTECTED]) wrote: > Package: mozilla-firefox > Version: 1.0.5-1 > Severity: important > > I've tested firefox to be vulnerable to CAN-2005-2395. > > Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the > strongest authentication scheme available as required by RFC2617, which > might cause credentials to be sent in plaintext even if an encrypted channel > is available. > > For details, see http://www.securityfocus.com/archive/1/405666 Seems there's a patch now, but it hasn't been reviewed, and the mozilla developers don't seem tremendously concerned. -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
signature.asc
Description: Digital signature
