CVE-2016-5284 log

Source
Severity High
Remote Yes
Type Certificate verification bypass
Description
Due to flaws in the process used to update "Preloaded Public Key Pinning", the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected.
Group Package Affected Fixed Severity Status Ticket
AVG-24 firefox 48.0.2-1 49.0-1 Critical Fixed
Date Advisory Group Package Severity Description
22 Sep 2016 ASA-201609-22 AVG-24 firefox Critical multiple issues
References
https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/
https://bugzilla.mozilla.org/show_bug.cgi?id=1303127