<em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2990" target="_blank">CVE</a>)</em> : The implementation of Content Security Policy (CSP) violation reports in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by reading a report, related to incorrect host resolution that occurs with certain redirects.

Upgrade Firefox to version 6 or higher, Thunderbird to version 6 or higher, and SeaMonkey to version 2.3 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• OVAL ID: 14458
• CVE ID: 2011-2990 (see also: NVD)
• Secunia Advisory ID: 45581 45667 45785 45802 45808 51766
• Related OSVDB ID: 74581 74582 74583 74584 74585 74586 74587 74588 74589 74590 74591 74592 74594 74595 74596
• Mail List Post: http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00023.html
• Vendor Specific Advisory URL: http://lists.opensuse.org/opensuse-updates/2011-08/msg00039.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-29.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-31.html
  http://www.mozilla.org/security/announce/2011/mfsa2011-33.html
  http://www.suse.com/support/security/advisories/2011_37_firefox.html
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-updates/2011-08/msg00043.html
  http://www.gentoo.org/security/en/glsa/glsa-201301-01.xml
  https://bugzilla.mozilla.org/show_bug.cgi?id=664983 [ Auth Req'd ]
  https://bugzilla.mozilla.org/show_bug.cgi?id=679588 [ Auth Req'd ]

• Mike Cardwell
• Daniel Veditz