Bugzilla – Bug 1149300
VUL-1: CVE-2019-11737: MozillaFirefox: Content security policy directives ignore port and path if host is a wildcard
Last modified: 2019-11-20 16:07:40 UTC
CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard Reporter Xiaoyin Liu Impact low Description If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. References: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11737 https://bugzilla.mozilla.org/show_bug.cgi?id=1388015 https://bugzilla.redhat.com/show_bug.cgi?id=1748675 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11737
This issue is fixed in Firefox 69. openSUSE uses different versions: openSUSE:Leap:15.0 60.0esr openSUSE:Leap:15.1 60.6.2esr openSUSE:Leap:15.2 68.2.0esr openSUSE:Factory 70.0.1 SLE is also using only ESR versions and not Firefox 69. Closing bug as invalid.