CVE 2011-3389
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Related bugs and status
CVE-2011-3389 (Candidate) is related to these bugs:
Bug #878684: Update icedtea-java7 to Java SE 7 Update 1
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-6 (Ubuntu) | Undecided | Fix Released | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-7 (Ubuntu) | Undecided | Fix Released | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-6 (Ubuntu Lucid) | High | Fix Released | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-7 (Ubuntu Lucid) | Undecided | Invalid | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-6 (Ubuntu Maverick) | High | Fix Released | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-7 (Ubuntu Maverick) | Undecided | Invalid | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-6 (Ubuntu Natty) | High | Fix Released | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-7 (Ubuntu Natty) | Undecided | Invalid | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-6 (Ubuntu Oneiric) | High | Fix Released | ||
878684 | Update icedtea-java7 to Java SE 7 Update 1 | openjdk-7 (Ubuntu Oneiric) | Undecided | Fix Released |
Bug #881746: Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security vulnerabilities, fixed in Update 29
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
881746 | Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security vulnerabilities, fixed in Update 29 | sun-java6 (Ubuntu) | Undecided | Won't Fix | ||
881746 | Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security vulnerabilities, fixed in Update 29 | sun-java6 (CentOS) | Medium | Invalid | ||
881746 | Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security vulnerabilities, fixed in Update 29 | sun-java6 (Debian) | Unknown | Fix Released | ||
881746 | Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security vulnerabilities, fixed in Update 29 | Sun Java | Undecided | Fix Released |
Bug #1003049: Merge curl 7.25.0-1 (main) from debian testing (main)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1003049 | Merge curl 7.25.0-1 (main) from debian testing (main) | curl (Ubuntu) | Wishlist | Fix Released |
Bug #1020335: Sync ruby1.8 1.8.7.358-4 (main) from Debian unstable (main)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1020335 | Sync ruby1.8 1.8.7.358-4 (main) from Debian unstable (main) | ruby1.8 (Ubuntu) | Wishlist | Fix Released |
Bug #1811531: remote execution vulnerability
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1811531 | remote execution vulnerability | zeromq3 (Ubuntu) | Undecided | Fix Released | ||
1811531 | remote execution vulnerability | zeromq3 (Debian) | Unknown | Fix Released | ||
1811531 | remote execution vulnerability | zeromq (Suse) | High | Fix Released |
See the
CVE page on Mitre.org
for more details.