Bug 913222 (CVE-2014-8642) - VUL-0: CVE-2014-8642: MozillaFirefox: Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension (MFSA 2015-08)
Summary: VUL-0: CVE-2014-8642: MozillaFirefox: Delegated OCSP responder certificates f...
Status: RESOLVED FIXED
Alias: CVE-2014-8642
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Petr Cerny
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/112365/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-15 10:45 UTC by Victor Pereira
Modified: 2015-02-11 13:35 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-15 10:45:22 UTC 
rh#1180974

Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider the
id-pkix-ocsp-nocheck extension in deciding whether to trust an OCSP responder,
which makes it easier for remote attackers to obtain sensitive information by
sniffing the network during a session in which there was an incorrect decision
to accept a compromised and revoked certificate.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1180974
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8642
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8642.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8642
http://www.cvedetails.com/cve/CVE-2014-8642/
http://www.mozilla.org/security/announce/2014/mfsa2015-08.html
https://bugzilla.mozilla.org/show_bug.cgi?id=1079658
Comment 1 Swamp Workflow Management 2015-01-15 23:00:18 UTC 
bugbot adjusting priority
Comment 2 Johannes Segitz 2015-02-11 13:35:07 UTC 
fix was released in https://swamp.suse.de/webswamp/wf/60231