Executive Summary
Summary | |
---|---|
Title | New Mozilla Firefox packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-1225 | First vendor Publication | 2006-12-03 |
Vendor | Debian | Last vendor Modification | 2006-12-03 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
This update covers packages for the little endian MIPS architecture missing in the original advisory. Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich Kühn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 "shutdown" discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge13. For the unstable distribution (sid) these problems have been fixed in the current iceweasel package 2.0+dfsg-1. We recommend that you upgrade your mozilla-firefox package. |
Original Source
Url : http://www.debian.org/security/2006/dsa-1225 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters |
CAPEC-7 | Blind SQL Injection |
CAPEC-8 | Buffer Overflow in an API Call |
CAPEC-9 | Buffer Overflow in Local Command-Line Utilities |
CAPEC-10 | Buffer Overflow via Environment Variables |
CAPEC-13 | Subverting Environment Variable Values |
CAPEC-14 | Client-side Injection-induced Buffer Overflow |
CAPEC-18 | Embedding Scripts in Nonscript Elements |
CAPEC-22 | Exploiting Trust in Client (aka Make the Client Invisible) |
CAPEC-24 | Filter Failure through Buffer Overflow |
CAPEC-28 | Fuzzing |
CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies |
CAPEC-32 | Embedding Scripts in HTTP Query Strings |
CAPEC-42 | MIME Conversion |
CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
CAPEC-45 | Buffer Overflow via Symbolic Links |
CAPEC-46 | Overflow Variables and Tags |
CAPEC-47 | Buffer Overflow via Parameter Expansion |
CAPEC-52 | Embedding NULL Bytes |
CAPEC-53 | Postfix, Null Terminate, and Backslash |
CAPEC-63 | Simple Script Injection |
CAPEC-64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic |
CAPEC-66 | SQL Injection |
CAPEC-67 | String Format Overflow in syslog() |
CAPEC-71 | Using Unicode Encoding to Bypass Validation Logic |
CAPEC-72 | URL Encoding |
CAPEC-73 | User-Controlled Filename |
CAPEC-78 | Using Escaped Slashes in Alternate Encoding |
CAPEC-79 | Using Slashes in Alternate Encoding |
CAPEC-80 | Using UTF-8 Encoding to Bypass Validation Logic |
CAPEC-81 | Web Logs Tampering |
CAPEC-83 | XPath Injection |
CAPEC-85 | Client Network Footprinting (using AJAX/XSS) |
CAPEC-86 | Embedding Script (XSS ) in HTTP Headers |
CAPEC-88 | OS Command Injection |
CAPEC-91 | XSS in IMG Tags |
CAPEC-99 | XML Parser Attack |
CAPEC-101 | Server Side Include (SSI) Injection |
CAPEC-104 | Cross Zone Scripting |
CAPEC-106 | Cross Site Scripting through Log Files |
CAPEC-108 | Command Line Execution through SQL Injection |
CAPEC-109 | Object Relational Mapping Injection |
CAPEC-110 | SQL Injection through SOAP Parameter Tampering |
CAPEC-171 | Variable Manipulation |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10478 | |||
Oval ID: | oval:org.mitre.oval:def:10478 | ||
Title: | Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340. | ||
Description: | Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-5462 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-10-13 | Name : Solaris Update for Mozilla 1.7 119115-35 File : nvt/gb_solaris_119115_35.nasl |
2009-10-13 | Name : Solaris Update for Mozilla 1.7_x86 119116-35 File : nvt/gb_solaris_119116_35.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200612-06 (mozilla-thunderbird) File : nvt/glsa_200612_06.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200612-07 (mozilla-firefox) File : nvt/glsa_200612_07.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200612-08 (seamonkey) File : nvt/glsa_200612_08.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1224-1 (mozilla) File : nvt/deb_1224_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1225-1 (mozilla-firefox) File : nvt/deb_1225_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1225-2 (mozilla-firefox) File : nvt/deb_1225_2.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1227-1 (mozilla-thunderbird) File : nvt/deb_1227_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
30759 | Mozilla Firefox Crafted FTP URI DoS |
30303 | Mozilla Multiple Products Javascript Engine Multiple Unspecified Issues |
30301 | Mozilla Multiple ProductLayout Engine Unspecified DoS |
30300 | Mozilla Multiple Products Script Object Modification Arbitrary Javascript Byt... |
29013 | Mozilla Multiple Products NSS Library RSA Exponent 3 Signature Forgery |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2006-0735.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2006-0734.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2006-0733.nasl - Type : ACT_GATHER_INFO |
2012-01-04 | Name : The SSL layer on the remote server does not properly verify signatures. File : openssl_0_9_7k_0_9_8c.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2006-0734.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2006-0733.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2006-0735.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_MozillaFirefox-2258.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-382-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-381-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-361-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-352-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-351-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-350-1.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-2250.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaThunderbird-2252.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-2251.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote host is missing Sun Security Patch number 120671-08 File : solaris8_120671.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote host is missing Sun Security Patch number 120671-08 File : solaris9_120671.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-206.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-205.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-168.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing one or more security updates. File : fedora_2006-1191.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-1192.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-1194.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-1199.nasl - Type : ACT_GATHER_INFO |
2006-12-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200612-06.nasl - Type : ACT_GATHER_INFO |
2006-12-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200612-07.nasl - Type : ACT_GATHER_INFO |
2006-12-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200612-08.nasl - Type : ACT_GATHER_INFO |
2006-12-06 | Name : The remote host is missing Sun Security Patch number 120672-08 File : solaris8_x86_120672.nasl - Type : ACT_GATHER_INFO |
2006-12-06 | Name : The remote host is missing Sun Security Patch number 120672-08 File : solaris9_x86_120672.nasl - Type : ACT_GATHER_INFO |
2006-12-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1225.nasl - Type : ACT_GATHER_INFO |
2006-12-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1227.nasl - Type : ACT_GATHER_INFO |
2006-12-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1224.nasl - Type : ACT_GATHER_INFO |
2006-11-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0734.nasl - Type : ACT_GATHER_INFO |
2006-11-20 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2006-0733.nasl - Type : ACT_GATHER_INFO |
2006-11-20 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2006-0735.nasl - Type : ACT_GATHER_INFO |
2006-11-08 | Name : The remote Windows host contains a mail client that is affected by multiple v... File : mozilla_thunderbird_1508.nasl - Type : ACT_GATHER_INFO |
2006-11-08 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_1508.nasl - Type : ACT_GATHER_INFO |
2006-11-08 | Name : A web browser on the remote host is prone to multiple flaws. File : seamonkey_106.nasl - Type : ACT_GATHER_INFO |
2006-11-06 | Name : The remote host is missing Sun Security Patch number 119116-35 File : solaris10_x86_119116.nasl - Type : ACT_GATHER_INFO |
2006-11-06 | Name : The remote host is missing Sun Security Patch number 119115-36 File : solaris10_119115.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:26:23 |
|