CVE-2015-2741

Publication date 5 July 2015

Last updated 24 July 2024


Ubuntu priority

Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which allows user-assisted man-in-the-middle attackers to bypass intended access restrictions by triggering a (1) expired certificate or (2) mismatched hostname for a domain with pinning enabled.

Status

Package Ubuntu Release Status
firefox 15.04 vivid
Fixed 39.0+build5-0ubuntu0.15.04.1
14.10 utopic
Fixed 39.0+build5-0ubuntu0.14.10.1
14.04 LTS trusty
Fixed 39.0+build5-0ubuntu0.14.04.1
12.04 LTS precise
Fixed 39.0+build5-0ubuntu0.12.04.2
thunderbird 15.04 vivid
Fixed 1:31.8.0+build1-0ubuntu0.15.04.1
14.10 utopic
Fixed 1:31.8.0+build1-0ubuntu0.14.10.1
14.04 LTS trusty
Fixed 1:31.8.0+build1-0ubuntu0.14.04.1
12.04 LTS precise
Fixed 1:31.8.0+build1-0ubuntu0.12.04.1