|Description||Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 220.127.116.11, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|References||DSA-1607-1, DSA-1615-1, DSA-1621-1, DSA-1697-1|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|icedove (PTS)||jessie (security), jessie||1:52.3.0-4~deb8u2||fixed|
The information below is based on the following data on fixed versions.
Firefox 3 not affected