Izdana je nova inačica programskog paketa mozilla-https-everywhere koja omogućuje sigurnije korištenje mreže i mrežnih servisa putem Mozilla Firefox preglednika.
| Paket: | mozilla-https-everywhere 2.x |
| Operacijski sustavi: | Fedora 15, Fedora 16 |
| Problem: | pogreška u programskoj komponenti |
| Iskorištavanje: | udaljeno |
| Posljedica: | otkrivanje osjetljivih informacija |
| Rješenje: | programska zakrpa proizvođača |
| Izvorni ID preporuke: | FEDORA-2012-7175 |
| Izvor: | Fedora |
| Problem: | |
| Propusti su povezani s neodgovarajućom implementacijom SSL protokola. |
|
| Posljedica: | |
| Udaljeni napadač spomenutu ranjivost može iskoristiti za otkrivanje osjetljivih korisničkih podataka. |
|
| Rješenje: | |
| Rješenje problema sigurnosti je korištenje najnovije inačice paketa. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-7175
2012-05-03 07:00:08
--------------------------------------------------------------------------------
Name : mozilla-https-everywhere
Product : Fedora 15
Version : 2.0.3
Release : 2.fc15
URL : https://eff.org/https-everywhere
Summary : HTTPS/HSTS enforcement extension for Mozilla Firefox and SeaMonkey
Description :
HTTPS Everywhere is a Firefox extension produced as a collaboration between
The Tor Project and the Electronic Frontier Foundation. It encrypts your
communications with a number of major websites.
Many sites on the web offer some limited support for encryption over HTTPS,
but make it difficult to use. For instance, they may default to unencrypted
HTTP, or fill encrypted pages with links that go back to the unencrypted site.
The HTTPS Everywhere extension fixes these problems by rewriting all requests
to these sites to HTTPS.
--------------------------------------------------------------------------------
Update Information:
Fix a possible SSL downgrade vulnerability.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 1 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.3-2
- Add file that I missed in the last build.
* Sat Apr 28 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.3-1
- Fix a downgrade attack that might allow attackers to deny HTTPS
Everywhere protection for cookies on some domains.
https://trac.torproject.org/projects/tor/ticket/5676
- Minor redirection mechanism fixes
- Fixes: WordPress, Yandex, OpenDNS, Via.me/AWS
- Improvements: Mozilla
- Disable broken: ReadWriteWeb
* Fri Apr 20 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.2-1
- Fix a weird wrong DOM-origin bug that occurred while redirects were in
-- progress (this might have security implications, although we are unsure
-- if it was exploitable).
-- https://trac.torproject.org/projects/tor/ticket/5477
- By default, use https://google.co.cctld instead of
-- encrypted.google.com
- Add an optional ruleset to use https://www.google.com
-- instead of encrypted.google.com, too
- Ruleset fixes: Debian, Kohls, Malwarebytes, Yandex, Wikipedia, Mises.org,
-- OpenDNS, Wizards of the Coast, Lenovo, Barnes and Noble
-- https://trac.torproject.org/projects/tor/ticket/5509
-- https://trac.torproject.org/projects/tor/ticket/5491
-- https://trac.torproject.org/projects/tor/ticket/5303
- Stumble across more horrible security holes in the Verizon website:
--
https://mail1.eff.org/pipermail/https-everywhere-rules/2012-February/001003.html
- Disable the Gentoo ruleset on non-CAcert platforms
- Disable buggy rulesets: IBM, Scribd, Wunderground :( :( :(
-- https://trac.torproject.org/projects/tor/ticket/5344
-- https://trac.torproject.org/projects/tor/ticket/5435
-- https://trac.torproject.org/projects/tor/ticket/5630
* Wed Feb 29 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.1-1
- Sync to upstream 2.0.x branch
- Too many changes to all list here. None affect the end user experience.
Being a Mozilla extension, it'll auto-update anyway.
* Wed Jan 11 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.2-1
- Google Cache is back!
- Fixes: Wikipedia, Identi.ca, Verizon, CCC.de, UserScripts, Yandex
- Improvements: EFF
- Disable broken: NSF.gov, WHO.int
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update mozilla-https-everywhere' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-7136
2012-05-03 06:53:03
--------------------------------------------------------------------------------
Name : mozilla-https-everywhere
Product : Fedora 16
Version : 2.0.3
Release : 2.fc16
URL : https://eff.org/https-everywhere
Summary : HTTPS/HSTS enforcement extension for Mozilla Firefox and SeaMonkey
Description :
HTTPS Everywhere is a Firefox extension produced as a collaboration between
The Tor Project and the Electronic Frontier Foundation. It encrypts your
communications with a number of major websites.
Many sites on the web offer some limited support for encryption over HTTPS,
but make it difficult to use. For instance, they may default to unencrypted
HTTP, or fill encrypted pages with links that go back to the unencrypted site.
The HTTPS Everywhere extension fixes these problems by rewriting all requests
to these sites to HTTPS.
--------------------------------------------------------------------------------
Update Information:
Fix a possible SSL downgrade vulnerability.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
Fix upstream bug 5676, which fixes an SSL downgrade attack.
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 1 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.3-2
- Add file that I missed in the last build.
* Sat Apr 28 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.3-1
- Fix a downgrade attack that might allow attackers to deny HTTPS
Everywhere protection for cookies on some domains.
https://trac.torproject.org/projects/tor/ticket/5676
- Minor redirection mechanism fixes
- Fixes: WordPress, Yandex, OpenDNS, Via.me/AWS
- Improvements: Mozilla
- Disable broken: ReadWriteWeb
* Fri Apr 20 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.2-1
- Fix a weird wrong DOM-origin bug that occurred while redirects were in
-- progress (this might have security implications, although we are unsure
-- if it was exploitable).
-- https://trac.torproject.org/projects/tor/ticket/5477
- By default, use https://google.co.cctld instead of
-- encrypted.google.com
- Add an optional ruleset to use https://www.google.com
-- instead of encrypted.google.com, too
- Ruleset fixes: Debian, Kohls, Malwarebytes, Yandex, Wikipedia, Mises.org,
-- OpenDNS, Wizards of the Coast, Lenovo, Barnes and Noble
-- https://trac.torproject.org/projects/tor/ticket/5509
-- https://trac.torproject.org/projects/tor/ticket/5491
-- https://trac.torproject.org/projects/tor/ticket/5303
- Stumble across more horrible security holes in the Verizon website:
--
https://mail1.eff.org/pipermail/https-everywhere-rules/2012-February/001003.html
- Disable the Gentoo ruleset on non-CAcert platforms
- Disable buggy rulesets: IBM, Scribd, Wunderground :( :( :(
-- https://trac.torproject.org/projects/tor/ticket/5344
-- https://trac.torproject.org/projects/tor/ticket/5435
-- https://trac.torproject.org/projects/tor/ticket/5630
* Wed Feb 29 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.0.1-1
- Sync to upstream 2.0.x branch
- Too many changes to all list here. None affect the end user experience.
Being a Mozilla extension, it'll auto-update anyway.
* Wed Jan 11 2012 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.2-1
- Google Cache is back!
- Fixes: Wikipedia, Identi.ca, Verizon, CCC.de, UserScripts, Yandex
- Improvements: EFF
- Disable broken: NSF.gov, WHO.int
* Wed Nov 16 2011 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.1-1
- Google Cache is broken, remove it from GoogleServices :( :( :(
- Fix for the Google Image Search homepage
- Exclude help.duckduckgo.com:
-- https://trac.torproject.org/projects/tor/ticket/4399
- Disable Yahoo! Mail:
-- https://trac.torproject.org/projects/tor/ticket/4441
- Installable on Firefox 10
* Tue Nov 15 2011 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2-1
- Fixes: WordPress, Statcounter, Java, Bahn.de, SICS.se
- Improvements: use fancy new HTTPS Wikipedia
- Disable broken: OpenUniversity, TV.com, Random.org, kb.CERT
* Thu Oct 20 2011 Russell Golden <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1-1
- Further tweaks to internals, will hopefully fix a number of weird issues:
-- https://trac.torproject.org/projects/tor/ticket/4194
-- https://trac.torproject.org/projects/tor/ticket/4149
--
https://mail1.eff.org/pipermail/https-everywhere/2011-October/001208.html
- YouTube is enabled by default!
- Fixes: Yandex, Statcounter, Polldaddy, SBB.ch
- Improvements: Facebook+
- Disable broken: Bloglines, EPEAT
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update mozilla-https-everywhere' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke