Bugzilla – Bug 1021832
VUL-0: CVE-2017-5384: MozillaFirefox: Information disclosure via Proxy Auto-Config (PAC)
Last modified: 2020-04-05 18:06:38 UTC
Security vulnerabilities fixed in Firefox 51 https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/ Discovered by: Paul Stone, Alex Chapman Proxy Auto-Config (PAC) files can specify a JavaScript function called for all URL requests with the full URL path which exposes more information than would be sent to the proxy itself in the case of HTTPS. Normally the Proxy Auto-Config file is specified by the user or machine owner and presumed to be non-malicious, but if a user has enabled Web Proxy Auto Detect (WPAD) this file can be served remotely. https://bugzilla.mozilla.org/show_bug.cgi?id=1255474 https://www.contextis.com//resources/blog/leaking-https-urls-20-year-old-vulnerability/
Firefox 51 / openSUSE only. Does not affect SLE. Assigning to openSUSE maintainer.
bugbot adjusting priority
This is going out for openSUSE: FF, TB, Seamonkey, NSS. The Java update to fix the NSS compatibility will follow shortly.
openSUSE-SU-2017:0358-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 1017174,1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021823,1021824,1021826,1021827,1021828,1021830,1021831,1021832,1021833,1021835,1021837,1021839,1021840,1021841 CVE References: CVE-2017-5373,CVE-2017-5374,CVE-2017-5375,CVE-2017-5376,CVE-2017-5377,CVE-2017-5378,CVE-2017-5379,CVE-2017-5380,CVE-2017-5381,CVE-2017-5382,CVE-2017-5383,CVE-2017-5384,CVE-2017-5385,CVE-2017-5386,CVE-2017-5387,CVE-2017-5388,CVE-2017-5389,CVE-2017-5390,CVE-2017-5391,CVE-2017-5392,CVE-2017-5393,CVE-2017-5394,CVE-2017-5395,CVE-2017-5396 Sources used: openSUSE Leap 42.2 (src): MozillaFirefox-51.0.1-50.2 openSUSE Leap 42.1 (src): MozillaFirefox-51.0.1-50.2