<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200407-15"> <title>Opera: Multiple spoofing vulnerabilities</title> <synopsis> Opera contains three vulnerabilities, allowing an attacker to impersonate legitimate websites with URI obfuscation or to spoof websites with frame injection. </synopsis> <product type="ebuild">opera</product> <announced>2004-07-20</announced> <revised count="01">2004-07-20</revised> <bug>56311</bug> <bug>56109</bug> <access>remote</access> <affected> <package name="www-client/opera" auto="yes" arch="*"> <unaffected range="ge">7.53</unaffected> <vulnerable range="le">7.52</vulnerable> </package> </affected> <background> <p> Opera is a multi-platform web browser. </p> </background> <description> <p> Opera fails to remove illegal characters from an URI of a link and to check that the target frame of a link belongs to the same website as the link. Opera also updates the address bar before loading a page. Additionally, Opera contains a certificate verification problem. </p> </description> <impact type="normal"> <p> These vulnerabilities could allow an attacker to impersonate legitimate websites to steal sensitive information from users. This could be done by obfuscating the real URI of a link or by injecting a malicious frame into an arbitrary frame of another browser window. </p> </impact> <workaround> <p> There is no known workaround at this time. All users are encouraged to upgrade to the latest available version. </p> </workaround> <resolution> <p> All Opera users should upgrade to the latest stable version: </p> <code> # emerge sync # emerge -pv ">=www-client/opera-7.53" # emerge ">=www-client/opera-7.53"</code> </resolution> <references> <uri link="http://www.securityfocus.com/bid/10517">Bugtraq Announcement</uri> <uri link="https://secunia.com/advisories/11978/">Secunia Advisory SA11978</uri> <uri link="https://secunia.com/advisories/12028/">Secunia Advisory SA12028</uri> <uri link="https://www.opera.com/linux/changelogs/753/">Opera Changelog</uri> </references> <metadata tag="submitter"> jaervosz </metadata> </glsa>