Seamonkey issues for FC5? re: Bug# 229253, CVE-2007-0981: seamonkey cookie ... vulnerability

David Eisenstein deisenst at gtw.net
Fri Feb 23 03:17:52 UTC 2007 

Regarding this new security issue in Bugzilla, #229253, at

<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253>

This same issue ought to also exist in the FC5 seamonkey, which has been
created and maintained as a Fedora Core Mozilla replacement, replacing a 
former seamonkey package in Fedora Extras.  But now that seamonkey is in 
core, I don't see how we can file a bug for CVE-2007-0981 against FC5's 
Seamonkey?  There exists no "seamonkey" component in Bugzilla for Fedora 
Core 5.  Martin Stransky appears to be the fellow who has taken on work 
regarding Seamonkey for FC5, as the Mozilla replacement.

Who should address fixing up Bugzilla's package database, so this so a bug
can be properly filed on the FC5 version of Seamonkey for this
CVE-2007-0981 issue and future issues, and an errata issued?  The bug on 
"seamonkey missing as Fedora Core component," Bug #222811, has been open 
for a month with no response.  Who properly owns it?
    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222811>.

Thanks!

	Regards,
	David Eisenstein

>            Summary: CVE-2007-0981: seamonkey cookie setting / same-domain
>                     bypass vulnerability
>            Product: Fedora Extras
>            Version: fc6
>           Platform: All
>         OS/Version: Linux
>             Status: NEW
>           Severity: medium
>           Priority: normal
>          Component: seamonkey
>         AssignedTo: kengert at redhat.com
>         ReportedBy: ville.skytta at iki.fi
>          QAContact: extras-qa at fedoraproject.org
>                 CC: fedora-security-list at redhat.com
> 
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981
> 
> "Mozilla based browsers allows remote attackers to bypass the same origin
> policy, steal cookies, and conduct other attacks by writing a URI with a null
> byte to the hostname (location.hostname) DOM property, due to interactions with
> DNS resolver code."
> 
> Seamonkey seems vulnerable.  See also
> https://bugzilla.mozilla.org/show_bug.cgi?id=370445

More information about the Fedora-security-list mailing list