Security Vulnerabilities fixed in SeaMonkey mfsa2014-80

description-logoDescription

Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connection. This leads to possible man-in-the-middle attacks if an attacker has control of the DNS connection and the ability to obtain a fraudulent certificate that browsers would accept in the absence of the pin.

affected-products-logoAffected Applications

SeaMonkey

CVE References

CVE-2014-1582 CVE-2014-1584