[gentoo-announce] [ GLSA 200407-15 ] Opera: Multiple spoofing vulnerabilities - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200407-15 ] Opera: Multiple spoofing vulnerabilities
Date:	Tue, 20 Jul 2004 19:35:27
Message-Id:	`200407202129.04890.jaervosz@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200407-15

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Opera: Multiple spoofing vulnerabilities

12

      Date: July 20, 2004

13

      Bugs: #56311, #56109

14

        ID: 200407-15

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Opera contains three vulnerabilities, allowing an attacker to

22

impersonate legitimate websites with URI obfuscation or to spoof

23

websites with frame injection.

24

25

Background

26

==========

27

28

Opera is a multi-platform web browser.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package        /   Vulnerable   /                      Unaffected

35

    -------------------------------------------------------------------

36

  1  net-www/opera        <= 7.52                              >= 7.53

37

38

Description

39

===========

40

41

Opera fails to remove illegal characters from an URI of a link and to

42

check that the target frame of a link belongs to the same website as

43

the link. Opera also updates the address bar before loading a page.

44

Additionally, Opera contains a certificate verification problem.

45

46

Impact

47

======

48

49

These vulnerabilities could allow an attacker to impersonate legitimate

50

websites to steal sensitive information from users. This could be done

51

by obfuscating the real URI of a link or by injecting a malicious frame

52

into an arbitrary frame of another browser window.

53

54

Workaround

55

==========

56

57

There is no known workaround at this time. All users are encouraged to

58

upgrade to the latest available version.

59

60

Resolution

61

==========

62

63

All Opera users should upgrade to the latest stable version:

64

65

    # emerge sync

66

67

    # emerge -pv ">=net-www/opera-7.53"

68

    # emerge ">=net-www/opera-7.53"

69

70

References

71

==========

72

73

  [ 1 ] Bugtraq Announcement

74

        http://www.securityfocus.com/bid/10517

75

  [ 2 ] Secunia Advisory SA11978

76

        http://secunia.com/advisories/11978/

77

  [ 3 ] Secunia Advisory SA12028

78

        http://secunia.com/advisories/12028/

79

  [ 4 ] Opera Changelog

80

        http://www.opera.com/linux/changelogs/753/

81

82

Availability

83

============

84

85

This GLSA and any updates to it are available for viewing at

86

the Gentoo Security Website:

87

88

    http://security.gentoo.org/glsa/glsa-200407-15.xml

89

90

Concerns?

91

=========

92

93

Security is a primary focus of Gentoo Linux and ensuring the

94

confidentiality and security of our users machines is of utmost

95

importance to us. Any security concerns should be addressed to

96

security@g.o or alternatively, you may file a bug at

97

http://bugs.gentoo.org.

98

99

License

100

=======

101

102

Copyright 2004 Gentoo Foundation, Inc; referenced text

103

belongs to its owner(s).

104

105

The contents of this document are licensed under the

106

Creative Commons - Attribution / Share Alike license.

107

108

http://creativecommons.org/licenses/by-sa/1.0

109

-----BEGIN PGP SIGNATURE-----

110

Version: GnuPG v1.2.4 (GNU/Linux)

111

112

iD8DBQFA/XJgzKC5hMHO6rkRAsw7AKCEwOCVjJJjNsymicSQe0VelGnz6QCfbYia

113

UVsS/TvNJcPfLhkm7ZRRiOM=

114

=lBS2

115

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200407-15
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Opera: Multiple spoofing vulnerabilities
12	Date: July 20, 2004
13	Bugs: #56311, #56109
14	ID: 200407-15
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Opera contains three vulnerabilities, allowing an attacker to
22	impersonate legitimate websites with URI obfuscation or to spoof
23	websites with frame injection.
24
25	Background
26	==========
27
28	Opera is a multi-platform web browser.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-www/opera <= 7.52 >= 7.53
37
38	Description
39	===========
40
41	Opera fails to remove illegal characters from an URI of a link and to
42	check that the target frame of a link belongs to the same website as
43	the link. Opera also updates the address bar before loading a page.
44	Additionally, Opera contains a certificate verification problem.
45
46	Impact
47	======
48
49	These vulnerabilities could allow an attacker to impersonate legitimate
50	websites to steal sensitive information from users. This could be done
51	by obfuscating the real URI of a link or by injecting a malicious frame
52	into an arbitrary frame of another browser window.
53
54	Workaround
55	==========
56
57	There is no known workaround at this time. All users are encouraged to
58	upgrade to the latest available version.
59
60	Resolution
61	==========
62
63	All Opera users should upgrade to the latest stable version:
64
65	# emerge sync
66
67	# emerge -pv ">=net-www/opera-7.53"
68	# emerge ">=net-www/opera-7.53"
69
70	References
71	==========
72
73	[ 1 ] Bugtraq Announcement
74	http://www.securityfocus.com/bid/10517
75	[ 2 ] Secunia Advisory SA11978
76	http://secunia.com/advisories/11978/
77	[ 3 ] Secunia Advisory SA12028
78	http://secunia.com/advisories/12028/
79	[ 4 ] Opera Changelog
80	http://www.opera.com/linux/changelogs/753/
81
82	Availability
83	============
84
85	This GLSA and any updates to it are available for viewing at
86	the Gentoo Security Website:
87
88	http://security.gentoo.org/glsa/glsa-200407-15.xml
89
90	Concerns?
91	=========
92
93	Security is a primary focus of Gentoo Linux and ensuring the
94	confidentiality and security of our users machines is of utmost
95	importance to us. Any security concerns should be addressed to
96	security@g.o or alternatively, you may file a bug at
97	http://bugs.gentoo.org.
98
99	License
100	=======
101
102	Copyright 2004 Gentoo Foundation, Inc; referenced text
103	belongs to its owner(s).
104
105	The contents of this document are licensed under the
106	Creative Commons - Attribution / Share Alike license.
107
108	http://creativecommons.org/licenses/by-sa/1.0
109	-----BEGIN PGP SIGNATURE-----
110	Version: GnuPG v1.2.4 (GNU/Linux)
111
112	iD8DBQFA/XJgzKC5hMHO6rkRAsw7AKCEwOCVjJJjNsymicSQe0VelGnz6QCfbYia
113	UVsS/TvNJcPfLhkm7ZRRiOM=
114	=lBS2
115	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce