Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. External Reference: https://www.mozilla.org/security/advisories/mfsa2016-85/ https://www.mozilla.org/security/advisories/mfsa2016-86/
Acknowledgments: Name: the Mozilla project Upstream: Ryan Duff
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2016:1912 https://rhn.redhat.com/errata/RHSA-2016-1912.html