CVE-2017-7764 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Content spoofing
Description	A security issue has been found in Firefox < 54.0 and Thunderbird < 52.2, where characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. Firefox and Thunderbird behavior has been changed to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts."

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-303	thunderbird	52.1.1-1	52.2.0-1	Critical	Fixed
AVG-302	firefox	53.0.3-1	54.0-1	Critical	Fixed

Date	Advisory	Group	Package	Severity	Type
16 Jun 2017	ASA-201706-20	AVG-303	thunderbird	Critical	multiple issues
16 Jun 2017	ASA-201706-19	AVG-302	firefox	Critical	multiple issues

References
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764 https://bugzilla.mozilla.org/show_bug.cgi?id=1364283 http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts

References

https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764
https://bugzilla.mozilla.org/show_bug.cgi?id=1364283
http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts