Your submission was sent successfully! Close

USN-361-1: Mozilla vulnerabilities

10 October 2006

Mozilla vulnerabilities



Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious URL. (CVE-2006-2788, CVE-2006-3805, CVE-2006-3806,
CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-4565,
CVE-2006-4568, CVE-2006-4571)

A bug was found in the script handler for automatic proxy
configuration. A malicious proxy could send scripts which could
execute arbitrary code with the user's privileges. (CVE-2006-3808)

The NSS library did not sufficiently check the padding of PKCS #1 v1.5
signatures if the exponent of the public key is 3 (which is widely
used for CAs). This could be exploited to forge valid signatures
without the need of the secret key. (CVE-2006-4340)

Georgi Guninski discovered that even with JavaScript disabled, a
malicous email could still execute JavaScript when the message is
viewed, replied to, or forwarded by putting the script in a remote XBL
file loaded by the message. (CVE-2006-4570)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
  • mozilla-psm - 2:1.7.13-0ubuntu5.10.2
  • mozilla-mailnews - 2:1.7.13-0ubuntu5.10.2
  • libnspr4 - 2:1.7.13-0ubuntu5.10.2
  • mozilla-browser - 2:1.7.13-0ubuntu5.10.2
  • libnss3 - 2:1.7.13-0ubuntu5.10.2
Ubuntu 5.04
  • mozilla-psm - 2:1.7.13-0ubuntu05.04.2
  • mozilla-mailnews - 2:1.7.13-0ubuntu05.04.2
  • libnspr4 - 2:1.7.13-0ubuntu05.04.2
  • mozilla-browser - 2:1.7.13-0ubuntu05.04.2
  • libnss3 - 2:1.7.13-0ubuntu05.04.2

After a standard system upgrade you need to restart Mozilla to effect
the necessary changes.

Related notices

  • USN-296-1: firefox
  • USN-327-1: firefox
  • USN-350-1: mozilla-thunderbird-typeaheadfind, mozilla-thunderbird-locale-fr, mozilla-thunderbird-locale-pl, mozilla-thunderbird, mozilla-thunderbird-locale-it, mozilla-thunderbird-locale-de, mozilla-thunderbird-enigmail, mozilla-thunderbird-locale-uk, mozilla-thunderbird-locale-nl, mozilla-thunderbird-inspector, mozilla-thunderbird-locale-ca
  • USN-329-1: mozilla-thunderbird-enigmail, mozilla-thunderbird
  • USN-351-1: firefox, libnss3
  • USN-352-1: mozilla-thunderbird