Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Ubuntu: firefox vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page containing JavaScript. The following CVEIDs have been addressed: CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4569, CVE-2006-4571, CVE-2006-4340, CVE-2006-4567
Ubuntu Security Notice USN-351-1         September 22, 2006
firefox vulnerabilities
CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566,
CVE-2006-4567, CVE-2006-4568, CVE-2006-4569, CVE-2006-4571

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  firefox                                  1.5.dfsg+
  libnss3                                  1.5.dfsg+

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also
affected by these problems. Updates for these Ubuntu releases will be
delayed due to upstream dropping support for this Firefox version. We
strongly advise that you disable JavaScript to disable the attack
vectors for most vulnerabilities if you use one of these Ubuntu
versions. An update is currently in progress.

Details follow:

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript. (CVE-2006-4253,
CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4569

The NSS library did not sufficiently check the padding of PKCS #1 v1.5
signatures if the exponent of the public key is 3 (which is widely
used for CAs). This could be exploited to forge valid signatures
without the need of the secret key. (CVE-2006-4340)

Jon Oberheide reported a way how a remote attacker could trick users
into downloading arbitrary extensions with circumventing the normal
SSL certificate check. The attacker would have to be in a position to
spoof the victim's DNS, causing them to connect to sites of the
attacker's choosing rather than the sites intended by the victim. If
they gained that control and the victim accepted the attacker's cert
for the Mozilla update site, then the next update check could be
hijacked and redirected to the attacker's site without
detection.  (CVE-2006-4567)

Updated packages for Ubuntu 6.06 LTS:

  Source archives:
      Size/MD5:   177969 b449a4273730b70a6364fc7977f32947
      Size/MD5:     1113 f66f89a240cf04e424268682b18b274d
      Size/MD5: 43116523 025ca9a48809d142dd4817e396157afa

  Architecture independent packages:
      Size/MD5:    49518 5e0b78c4ac74bee3eb1619bdb5e73dcf
      Size/MD5:    50408 4301f74c782bedd5fdae77a8718c9e84

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5: 47330950 1a10494ee3d4d0a4194c9f2615648829
      Size/MD5:  2798556 010d95da3e0f36228f7020f64a82d8db
      Size/MD5:   216456 d2e78ea968f19f7402c6e07f810ac523
      Size/MD5:    82684 19d45ae80a1c181dc6e3e6d4f9b13d0c
      Size/MD5:  9413980 f7dc5d3650a940520ccb5be0cdad3f2b
      Size/MD5:   219138 6eecd17ccbad3377599eb5247888d47f
      Size/MD5:   162186 73136a6353d5e146bccc4f496f0dd9a1
      Size/MD5:   236042 4d0185a1415e236448d9f80a33749710
      Size/MD5:   757866 8278b72cad3ec0202ecae39c4fd2a354

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5: 43897500 d1dc2c78dcc2fefcc2136e635c41ea6a
      Size/MD5:  2798572 179ae6b21807bf882869fc1f4cceff26
      Size/MD5:   209870 c30fa91cb895288c8516c4357c6eca36
      Size/MD5:    75046 a2baf77d367ecdfd0ee4233d400500d6
      Size/MD5:  7925372 78da19e304788b40754f86d85af967d2
      Size/MD5:   219134 8205349eb31b90734a23c2dd539e7e87
      Size/MD5:   146884 d4f4e5ae7f467d385bb84b7923930ce5
      Size/MD5:   236030 1ab463b215d7fb0841b8d987622d188c
      Size/MD5:   669986 c0304f2bb316757ffee0442f80a418be

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5: 48710170 b6a71933d6f85397bece7d2aceb4f475
      Size/MD5:  2798592 b2bb02ac4934c861ce7f1b2f7d7baa12
      Size/MD5:   213326 c1c760c5cb1e503d007f8885ca162915
      Size/MD5:    78222 1e43582487c4bbfa7e4bafcfe7ae1fc7
      Size/MD5:  9025586 f4bfe2070a79223bd4453f9c833749ae
      Size/MD5:   219150 240f9503290c98f62fb653c8120d5724
      Size/MD5:   159436 fb6c4dcc82eed00b3f9ec92b91195db7
      Size/MD5:   236030 bd3560a6324ed389e92f7e629d5682f0
      Size/MD5:   768752 a7c309bf5b9770cc075717d02a4eac54

  sparc architecture (Sun SPARC/UltraSPARC)
      Size/MD5: 45291390 a05989e31edd036826441e486408f011
      Size/MD5:  2798644 987b4fd5f256cf43dba88156e006a063
      Size/MD5:   210824 c87de0ce847db60238862081d1fc8820
      Size/MD5:    76674 e8d2eb757a497a5778d7a080bb3b5442
      Size/MD5:  8421340 5ce31d58ab07114b140acd2322ae3ddd
      Size/MD5:   219148 e570f55a3a1170bea76bb4c3fffd5b67
      Size/MD5:   149380 4f7c86cd49ff77bae0b2ba3acefa97c9
      Size/MD5:   236060 a3b585f43927607d8743b9c413ef0a5b
      Size/MD5:   682100 ceb5f2de5ae6f6ede05f097eee4f6a72

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
MongoDB Patches Remote Denial-of-Service Vulnerability
DDoS Attack Against GitHub Continues After More Than Four Days
5 keys to hiring security talent
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.