lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060922154148.GH6015@piware.de>
Date: Fri, 22 Sep 2006 17:41:48 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-351-1] firefox vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-351-1         September 22, 2006
firefox vulnerabilities
CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566,
CVE-2006-4567, CVE-2006-4568, CVE-2006-4569, CVE-2006-4571
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  firefox                                  1.5.dfsg+1.5.0.7-ubuntu0.6.06
  libnss3                                  1.5.dfsg+1.5.0.7-ubuntu0.6.06

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also
affected by these problems. Updates for these Ubuntu releases will be
delayed due to upstream dropping support for this Firefox version. We
strongly advise that you disable JavaScript to disable the attack
vectors for most vulnerabilities if you use one of these Ubuntu
versions. An update is currently in progress.

Details follow:

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript. (CVE-2006-4253,
CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4569
CVE-2006-4571)

The NSS library did not sufficiently check the padding of PKCS #1 v1.5
signatures if the exponent of the public key is 3 (which is widely
used for CAs). This could be exploited to forge valid signatures
without the need of the secret key. (CVE-2006-4340)

Jon Oberheide reported a way how a remote attacker could trick users
into downloading arbitrary extensions with circumventing the normal
SSL certificate check. The attacker would have to be in a position to
spoof the victim's DNS, causing them to connect to sites of the
attacker's choosing rather than the sites intended by the victim. If
they gained that control and the victim accepted the attacker's cert
for the Mozilla update site, then the next update check could be
hijacked and redirected to the attacker's site without
detection.  (CVE-2006-4567)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06.diff.gz
      Size/MD5:   177969 b449a4273730b70a6364fc7977f32947
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06.dsc
      Size/MD5:     1113 f66f89a240cf04e424268682b18b274d
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7.orig.tar.gz
      Size/MD5: 43116523 025ca9a48809d142dd4817e396157afa

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_all.deb
      Size/MD5:    49518 5e0b78c4ac74bee3eb1619bdb5e73dcf
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_all.deb
      Size/MD5:    50408 4301f74c782bedd5fdae77a8718c9e84

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5: 47330950 1a10494ee3d4d0a4194c9f2615648829
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:  2798556 010d95da3e0f36228f7020f64a82d8db
    http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:   216456 d2e78ea968f19f7402c6e07f810ac523
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:    82684 19d45ae80a1c181dc6e3e6d4f9b13d0c
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:  9413980 f7dc5d3650a940520ccb5be0cdad3f2b
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:   219138 6eecd17ccbad3377599eb5247888d47f
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:   162186 73136a6353d5e146bccc4f496f0dd9a1
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:   236042 4d0185a1415e236448d9f80a33749710
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_amd64.deb
      Size/MD5:   757866 8278b72cad3ec0202ecae39c4fd2a354

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5: 43897500 d1dc2c78dcc2fefcc2136e635c41ea6a
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:  2798572 179ae6b21807bf882869fc1f4cceff26
    http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:   209870 c30fa91cb895288c8516c4357c6eca36
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:    75046 a2baf77d367ecdfd0ee4233d400500d6
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:  7925372 78da19e304788b40754f86d85af967d2
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:   219134 8205349eb31b90734a23c2dd539e7e87
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:   146884 d4f4e5ae7f467d385bb84b7923930ce5
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:   236030 1ab463b215d7fb0841b8d987622d188c
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_i386.deb
      Size/MD5:   669986 c0304f2bb316757ffee0442f80a418be

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5: 48710170 b6a71933d6f85397bece7d2aceb4f475
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:  2798592 b2bb02ac4934c861ce7f1b2f7d7baa12
    http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:   213326 c1c760c5cb1e503d007f8885ca162915
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:    78222 1e43582487c4bbfa7e4bafcfe7ae1fc7
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:  9025586 f4bfe2070a79223bd4453f9c833749ae
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:   219150 240f9503290c98f62fb653c8120d5724
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:   159436 fb6c4dcc82eed00b3f9ec92b91195db7
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:   236030 bd3560a6324ed389e92f7e629d5682f0
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_powerpc.deb
      Size/MD5:   768752 a7c309bf5b9770cc075717d02a4eac54

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5: 45291390 a05989e31edd036826441e486408f011
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:  2798644 987b4fd5f256cf43dba88156e006a063
    http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:   210824 c87de0ce847db60238862081d1fc8820
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:    76674 e8d2eb757a497a5778d7a080bb3b5442
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:  8421340 5ce31d58ab07114b140acd2322ae3ddd
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:   219148 e570f55a3a1170bea76bb4c3fffd5b67
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:   149380 4f7c86cd49ff77bae0b2ba3acefa97c9
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:   236060 a3b585f43927607d8743b9c413ef0a5b
    http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.7-ubuntu0.6.06_sparc.deb
      Size/MD5:   682100 ceb5f2de5ae6f6ede05f097eee4f6a72

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ