Bug 1149300 (CVE-2019-11737)

Summary: VUL-1: CVE-2019-11737: MozillaFirefox: Content security policy directives ignore port and path if host is a wildcard
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Charles Robertson <cgrobertson>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241696/
Whiteboard: CVSSv2:NVD:CVE-2019-11737:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1149324    
Bug Blocks:    

Description Alexander Bergmann 2019-09-04 06:49:39 UTC 
CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard

Reporter   Xiaoyin Liu
Impact     low

Description
If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content.


References:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11737
https://bugzilla.mozilla.org/show_bug.cgi?id=1388015
https://bugzilla.redhat.com/show_bug.cgi?id=1748675
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11737
Comment 1 Alexander Bergmann 2019-11-20 16:07:40 UTC 
This issue is fixed in Firefox 69.

openSUSE uses different versions:

openSUSE:Leap:15.0 60.0esr
openSUSE:Leap:15.1 60.6.2esr
openSUSE:Leap:15.2 68.2.0esr
openSUSE:Factory   70.0.1

SLE is also using only ESR versions and not Firefox 69.

Closing bug as invalid.