Re: CVE request: firefox doesn't (re)validate certificates when loading HTTPS page

[Josh Bressers <bressers () redhat com>]

I'm going to save this one for upstream. It's possible they've already
assigned something (Mozilla is a CNA).

I've CC'd Reed in the rare event he doesn't know about this.

Thanks.

-- 
    JB

----- Original Message -----
> Hi,
> found this in RH's bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=709165
>
> Vincent Danen 2011-05-30 18:38:43 EDT
>
> A Debian bug report [1] indicated that Firefox 4.0.x handled the
> validation/revalidation of SSL certificates improperly. If a user were
> to
> visit a site with an untrusted certificate, Firefox would correctly
> display the
> warning about the untrusted connection. If a user were to confirm the
> security
> exception for a single session (not check off the "permanently store
> this
> exception"), then restart the browser and re-load the page, the
> contents of the
> page would be displayed from the Firefox cache. Upon reloading the
> page, the
> security warning would appear, but incorrectly indicates that the site
> provides
> a valid, verified certificate and there is no way to confirm the
> exception.
> [...]
>
> --
> Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing
> SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
> 21284 (AG Nürnberg
> --
> Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
> -- Marie von Ebner-Eschenbach