Bug 560134 (CVE-2009-4630)

Summary: CVE-2009-4630 firefox/thunderbird/seamonkey: privacy compromise via DNS prefetching (local HTML files)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gecko-bugs-nobody
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4630
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:09:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2010-01-29 23:06:37 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4630 to
the following vulnerability:

Name: CVE-2009-4630
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4630
Assigned: 20100129
Reference: MISC: https://bugzilla.mozilla.org/show_bug.cgi?id=453403
Reference: MISC: https://bugzilla.mozilla.org/show_bug.cgi?id=492196

Mozilla Necko, as used in Firefox, SeaMonkey, and other applications,
performs DNS prefetching of domain names contained in links within
local HTML documents, which makes it easier for remote attackers to
determine the network location of the application's user by logging
DNS requests.  NOTE: the vendor disputes the significance of this
issue, stating "I don't think we necessarily need to worry about that
case."
Comment 1 Vincent Danen 2010-01-29 23:07:22 UTC 
Note that this issue would not affect Firefox, Thunderbird or Seamonkey as shipped with Red Hat Enterprise Linux 3, 4, or 5 as DNS prefetching was not implemented in the versions of Firefox, Thunderbird or Seamonkey provided (no nsHTMLDNSPrefetch.cpp, for instance).  DNS prefetching was implemented in xulrunner 1.9.1 as per https://bugzilla.mozilla.org/show_bug.cgi?id=453403).