[HTTPS-Everywhere] Vulnerability in HTTPS Everywhere Chrome <= 2016.3.23
sjw at gmx.ch
sjw at gmx.ch
Fri Apr 8 15:09:11 PDT 2016
Hi
Can you confirm, that other platforms (Firefox, Android, Opera) are not
affected?
You may forward this to the oss-security list and request a CVE.
Regards,
Jonas
Am 08.04.2016 um 23:50 schrieb William Budington:
> HTTPS Everywhere Chrome users: be advised that a security vulnerability has been found of moderate severity with versions <= 2016.3.23 of the extension. This has been fixed as of the latest version, 2016.4.4, released earlier this week and available via the Chrome Web Store.[1]
>
> The vulnerability, discovered by Dylan Katz[2], allows any remote website to cause the Chrome browser to hang indefinitely by triggering a redirect in HTTPS Everywhere with a specially-crafted URL. We thank Dylan for reporting this to us and allowing us to fix it in a timely manner.
>
> This was disclosed as a part of EFF's Security Vulnerability Disclosure Program[3], launched in December of last year.
>
> 1. https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp
> 2. https://www.eff.org/security/hall-of-fame
> 3. https://www.eff.org/security
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20160409/be9f3859/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20160409/be9f3859/attachment.sig>
More information about the HTTPS-Everywhere
mailing list