---

CVE-2016-5284 - log back

CVE-2016-5284 created at 25 Sep 2019 19:31:40
Severity	+ High
Remote	+ Remote
Type	+ Certificate verification bypass
Description	+ Due to flaws in the process used to update "Preloaded Public Key Pinning", the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected.
References	+ https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/ + https://bugzilla.mozilla.org/show_bug.cgi?id=1303127
Notes