USN-361-1: Mozilla vulnerabilities

10 October 2006

mozilla vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.10
  • Ubuntu 5.04

Software Description

Details

Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-2788, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-4565, CVE-2006-4568, CVE-2006-4571)

A bug was found in the script handler for automatic proxy configuration. A malicious proxy could send scripts which could execute arbitrary code with the user’s privileges. (CVE-2006-3808)

The NSS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge valid signatures without the need of the secret key. (CVE-2006-4340)

Georgi Guninski discovered that even with JavaScript disabled, a malicous email could still execute JavaScript when the message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. (CVE-2006-4570)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
libnspr4 - 2:1.7.13-0ubuntu5.10.2
libnss3 - 2:1.7.13-0ubuntu5.10.2
mozilla-browser - 2:1.7.13-0ubuntu5.10.2
mozilla-mailnews - 2:1.7.13-0ubuntu5.10.2
mozilla-psm - 2:1.7.13-0ubuntu5.10.2
Ubuntu 5.04
libnspr4 - 2:1.7.13-0ubuntu05.04.2
libnss3 - 2:1.7.13-0ubuntu05.04.2
mozilla-browser - 2:1.7.13-0ubuntu05.04.2
mozilla-mailnews - 2:1.7.13-0ubuntu05.04.2
mozilla-psm - 2:1.7.13-0ubuntu05.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart Mozilla to effect the necessary changes.

References