USN-327-1: firefox vulnerabilities
Publication date
28 July 2006
Overview
firefox vulnerabilities
Releases
Details
Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious URL. (CVE-2006-3113, CVE-2006-3677, CVE-2006-3801,
CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807,
CVE-2006-3809, CVE-2006-3811, CVE-2006-3812)
cross-site scripting vulnerabilities were found in the
XPCNativeWrapper() function and native DOM method handlers. A
malicious web site could exploit these to modify the contents or steal
confidential data (such as passwords) from other opened web pages.
(
Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious URL. (CVE-2006-3113, CVE-2006-3677, CVE-2006-3801,
CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807,
CVE-2006-3809, CVE-2006-3811, CVE-2006-3812)
cross-site scripting vulnerabilities were found in the
XPCNativeWrapper() function and native DOM method handlers. A
malicious web site could exploit these to modify the contents or steal
confidential data (such as passwords) from other opened web pages.
(CVE-2006-3802, CVE-2006-3810)
A bug was found in the script handler for automatic proxy
configuration. A malicious proxy could send scripts which could
execute arbitrary code with the user's privileges. (CVE-2006-3808)
Please see
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
for technical details of these vulnerabilities.
Update instructions
After a standard system upgrade you need to restart Firefox to effect the necessary changes. Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also affected by these problems. Updates for these Ubuntu releases will be delayed due to upstream dropping support for this Firefox version. We strongly advise that you disable JavaScript to disable the attack vectors for most vulnerabilities if you use one of these Ubuntu versions.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 6.06 dapper | firefox – 1.5.dfsg+1.5.0.5-0ubuntu6.06 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.
References
- CVE-2006-3812
- CVE-2006-3811
- CVE-2006-3810
- CVE-2006-3809
- CVE-2006-3808
- CVE-2006-3807
- CVE-2006-3806
- CVE-2006-3805
- CVE-2006-3803
- CVE-2006-3802
- CVE-2006-3812
- CVE-2006-3811
- CVE-2006-3810
- CVE-2006-3809
- CVE-2006-3808
- CVE-2006-3807
- CVE-2006-3806
- CVE-2006-3805
- CVE-2006-3803
- CVE-2006-3802
- CVE-2006-3801
- CVE-2006-3677
- CVE-2006-3113