CVE-2009-1836

Priority
Description
Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey
before 1.1.17 use the HTTP Host header to determine the context of a
document provided in a non-200 CONNECT response from a proxy server, which
allows man-in-the-middle attackers to execute arbitrary web script by
modifying this CONNECT response, aka an "SSL tampering" attack.
Notes
jdstrandCVEs in Firefox are tracked in the xulrunner source packages. The
mapping of xulrunner sources to firefox is:
xulrunner (1.8.0): firefox (1.5) - Ubuntu 6.06 LTS
xulrunner (1.8.1): firefox (2.0) - Ubuntu 6.10 - 8.04 LTS
xulrunner-1.9: firefox-3.0
xulrunner-1.9.1: firefox-3.5
Ubuntu 6.06 LTS and 10.04 LTS uses the embedded xulrunner and not
the system xulrunner-1.9.2, so it is tracked in the firefox source package.
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
More Information

Updated: 2020-09-10 01:28:29 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)