CVE-2014-1582

The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority.

Date published : 2014-10-15

http://www.securityfocus.com/bid/70432

http://www.mozilla.org/security/announce/2014/mfsa2014-80.html