=========================================================== Ubuntu Security Notice USN-351-1 September 22, 2006 firefox vulnerabilities CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4567, CVE-2006-4568, CVE-2006-4569, CVE-2006-4571 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.7-ubuntu0.6.06 libnss3 1.5.dfsg+1.5.0.7-ubuntu0.6.06 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also affected by these problems. Updates for these Ubuntu releases will be delayed due to upstream dropping support for this Firefox version. We strongly advise that you disable JavaScript to disable the attack vectors for most vulnerabilities if you use one of these Ubuntu versions. An update is currently in progress. Details follow: Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page containing JavaScript. (CVE-2006-4253, CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4569 CVE-2006-4571) The NSS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge valid signatures without the need of the secret key. (CVE-2006-4340) Jon Oberheide reported a way how a remote attacker could trick users into downloading arbitrary extensions with circumventing the normal SSL certificate check. The attacker would have to be in a position to spoof the victim's DNS, causing them to connect to sites of the attacker's choosing rather than the sites intended by the victim. If they gained that control and the victim accepted the attacker's cert for the Mozilla update site, then the next update check could be hijacked and redirected to the attacker's site without detection. (CVE-2006-4567) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06.diff.gz Size/MD5: 177969 b449a4273730b70a6364fc7977f32947 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06.dsc Size/MD5: 1113 f66f89a240cf04e424268682b18b274d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7.orig.tar.gz Size/MD5: 43116523 025ca9a48809d142dd4817e396157afa Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_all.deb Size/MD5: 49518 5e0b78c4ac74bee3eb1619bdb5e73dcf http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_all.deb Size/MD5: 50408 4301f74c782bedd5fdae77a8718c9e84 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 47330950 1a10494ee3d4d0a4194c9f2615648829 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 2798556 010d95da3e0f36228f7020f64a82d8db http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 216456 d2e78ea968f19f7402c6e07f810ac523 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 82684 19d45ae80a1c181dc6e3e6d4f9b13d0c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 9413980 f7dc5d3650a940520ccb5be0cdad3f2b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 219138 6eecd17ccbad3377599eb5247888d47f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 162186 73136a6353d5e146bccc4f496f0dd9a1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 236042 4d0185a1415e236448d9f80a33749710 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb Size/MD5: 757866 8278b72cad3ec0202ecae39c4fd2a354 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 43897500 d1dc2c78dcc2fefcc2136e635c41ea6a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 2798572 179ae6b21807bf882869fc1f4cceff26 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 209870 c30fa91cb895288c8516c4357c6eca36 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 75046 a2baf77d367ecdfd0ee4233d400500d6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 7925372 78da19e304788b40754f86d85af967d2 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 219134 8205349eb31b90734a23c2dd539e7e87 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 146884 d4f4e5ae7f467d385bb84b7923930ce5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 236030 1ab463b215d7fb0841b8d987622d188c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb Size/MD5: 669986 c0304f2bb316757ffee0442f80a418be powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 48710170 b6a71933d6f85397bece7d2aceb4f475 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 2798592 b2bb02ac4934c861ce7f1b2f7d7baa12 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 213326 c1c760c5cb1e503d007f8885ca162915 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 78222 1e43582487c4bbfa7e4bafcfe7ae1fc7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 9025586 f4bfe2070a79223bd4453f9c833749ae http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 219150 240f9503290c98f62fb653c8120d5724 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 159436 fb6c4dcc82eed00b3f9ec92b91195db7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 236030 bd3560a6324ed389e92f7e629d5682f0 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb Size/MD5: 768752 a7c309bf5b9770cc075717d02a4eac54 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 45291390 a05989e31edd036826441e486408f011 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 2798644 987b4fd5f256cf43dba88156e006a063 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 210824 c87de0ce847db60238862081d1fc8820 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 76674 e8d2eb757a497a5778d7a080bb3b5442 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 8421340 5ce31d58ab07114b140acd2322ae3ddd http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 219148 e570f55a3a1170bea76bb4c3fffd5b67 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 149380 4f7c86cd49ff77bae0b2ba3acefa97c9 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 236060 a3b585f43927607d8743b9c413ef0a5b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb Size/MD5: 682100 ceb5f2de5ae6f6ede05f097eee4f6a72
Attachment:
signature.asc
Description: Digital signature