Oval Definition:oval:com.redhat.rhsa:def:20060675
Revision Date:2006-09-15Version:638
Title:RHSA-2006:0675: firefox security update (Critical)
Description:Mozilla Firefox is an open source Web browser.

  • Two flaws were found in the way Firefox processed certain regular expressions. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4565, CVE-2006-4566)

  • A number of flaws were found in Firefox. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4571)

  • A flaw was found in the handling of Javascript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4253)

  • Daniel Bleichenbacher recently described an implementation error in RSA signature verification. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. Firefox as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. (CVE-2006-4340)

  • A flaw was found in the Firefox auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567)

  • Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568)

  • Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569)

    Users of Firefox are advised to upgrade to this update, which contains Firefox version 1.5.0.7 that corrects these issues.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2006-4253
    CVE-2006-4340
    CVE-2006-4565
    CVE-2006-4566
    CVE-2006-4567
    CVE-2006-4568
    CVE-2006-4569
    CVE-2006-4571
    RHSA-2006:0675
    RHSA-2006:0675-01
    RHSA-2006:0675-01
    Platform(s):Red Hat Enterprise Linux 4
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 4 is installed
  • AND firefox is earlier than 0:1.5.0.7-0.1.el4
  • AND firefox is signed with Red Hat redhatrelease2 key
    • BACK