Information disclosure in Debian Linux - CVE-2014-3166
Published: August 13, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU41417
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-3166
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Debian
Affected software:
Debian Linux
Debian Linux
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names.
How to mitigate CVE-2014-3166
Install update from vendor's website.
Sources
- http://googlechromereleases.blogspot.com/2014/08/chrome-for-android-update.html
- http://googlechromereleases.blogspot.com/2014/08/chrome-for-ios-update.html
- http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html
- http://secunia.com/advisories/59693
- http://secunia.com/advisories/59904
- http://secunia.com/advisories/60685
- http://secunia.com/advisories/60798
- http://security.gentoo.org/glsa/glsa-201408-16.xml
- http://www.debian.org/security/2014/dsa-3039
- http://www.ietf.org/mail-archive/web/tls/current/msg13345.html
- http://www.securityfocus.com/bid/69202
- http://www.securitytracker.com/id/1030732
- https://code.google.com/p/chromium/issues/detail?id=398925
- https://src.chromium.org/viewvc/chrome?revision=286598&view=revision
- https://src.chromium.org/viewvc/chrome?revision=288435&view=revision