963648 – (CVE-2016-1948) VUL-0: CVE-2016-1948: MozillaFirefox: Lightweight themes on Firefox for Android do not verify a secure connection

Bug 963648 (CVE-2016-1948) - VUL-0: CVE-2016-1948: MozillaFirefox: Lightweight themes on Firefox for Android do not verify a secure connection

Summary: VUL-0: CVE-2016-1948: MozillaFirefox: Lightweight themes on Firefox for Andro...

Status:	RESOLVED INVALID

Alias:	CVE-2016-1948

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Android 5.0.x

Priority:	P3 - Medium Severity: Critical
Target Milestone:	---
Assignee:	Wolfgang Rosenauer
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:	963520
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2016-01-26 18:26 UTC by Andreas Stieger
Modified:	2016-01-27 10:37 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-01-26 18:26:21 UTC

https://www.mozilla.org/en-US/security/advisories/mfsa2016-12/

Mozilla developer Margaret Leibovic reported when Firefox for Android installs lightweight themes, it does not check to verify that they are served over an HTTPS connection. Instead, themes can be installed over an unencrypted connection, which could allow for a man-in-the-middle (MITM) attack by third parties replacing the theme content, which consists of images and toolbar text colors. 

https://bugzilla.mozilla.org/show_bug.cgi?id=1235876

openSUSE only.

Comment 1 Swamp Workflow Management 2016-01-26 23:01:29 UTC

bugbot adjusting priority

Comment 2 Andreas Stieger 2016-01-27 09:31:13 UTC

Android only