Your submission was sent successfully! Close

CVE-2014-1582

Published: 14 October 2014

The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority.

Priority

Low

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end of life)
precise
Released (33.0+build2-0ubuntu0.12.04.1)
trusty Does not exist
(trusty was released [33.0+build2-0ubuntu0.14.04.1])
upstream
Released (33.0)