CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.7%
CentOS Errata and Security Advisory CESA-2006:0675
Mozilla Firefox is an open source Web browser.
Two flaws were found in the way Firefox processed certain regular
expressions. A malicious web page could crash the browser or possibly
execute arbitrary code as the user running Firefox. (CVE-2006-4565,
CVE-2006-4566)
A number of flaws were found in Firefox. A malicious web page could crash
the browser or possibly execute arbitrary code as the user running Firefox.
(CVE-2006-4571)
A flaw was found in the handling of Javascript timed events. A malicious
web page could crash the browser or possibly execute arbitrary code as the
user running Firefox. (CVE-2006-4253)
Daniel Bleichenbacher recently described an implementation error in RSA
signature verification. For RSA keys with exponent 3 it is possible for an
attacker to forge a signature that would be incorrectly verified by the NSS
library. Firefox as shipped trusts several root Certificate Authorities
that use exponent 3. An attacker could have created a carefully crafted
SSL certificate which be incorrectly trusted when their site was visited by
a victim. (CVE-2006-4340)
A flaw was found in the Firefox auto-update verification system. An
attacker who has the ability to spoof a victim’s DNS could get Firefox to
download and install malicious code. In order to exploit this issue an
attacker would also need to get a victim to previously accept an
unverifiable certificate. (CVE-2006-4567)
Firefox did not properly prevent a frame in one domain from injecting
content into a sub-frame that belongs to another domain, which facilitates
website spoofing and other attacks (CVE-2006-4568)
Firefox did not load manually opened, blocked popups in the right domain
context, which could lead to cross-site scripting attacks. In order to
exploit this issue an attacker would need to find a site which would frame
their malicious page and convince the user to manually open a blocked
popup. (CVE-2006-4569)
Users of Firefox are advised to upgrade to this update, which contains
Firefox version 1.5.0.7 that corrects these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2006-September/075404.html
https://lists.centos.org/pipermail/centos-announce/2006-September/075417.html
https://lists.centos.org/pipermail/centos-announce/2006-September/075419.html
https://lists.centos.org/pipermail/centos-announce/2006-September/075423.html
Affected packages:
firefox
Upstream details at:
https://access.redhat.com/errata/RHSA-2006:0675
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 4 | i386 | firefox | < 1.5.0.7-0.1.el4.centos4 | firefox-1.5.0.7-0.1.el4.centos4.i386.rpm |
CentOS | 4 | ia64 | firefox | < 1.5.0.7-0.1.el4.centos4 | firefox-1.5.0.7-0.1.el4.centos4.ia64.rpm |
CentOS | 4 | x86_64 | firefox | < 1.5.0.7-0.1.el4.centos4 | firefox-1.5.0.7-0.1.el4.centos4.x86_64.rpm |
CentOS | 4 | s390 | firefox | < 1.5.0.7-0.1.el4.centos4 | firefox-1.5.0.7-0.1.el4.centos4.s390.rpm |
CentOS | 4 | s390x | firefox | < 1.5.0.7-0.1.el4.centos4 | firefox-1.5.0.7-0.1.el4.centos4.s390x.rpm |