Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-2788, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-4565, CVE-2006-4568, CVE-2006-4571)
A bug was found in the script handler for automatic proxy configuration. A malicious proxy could send scripts which could execute arbitrary code with the user’s privileges. (CVE-2006-3808)
10 October 2006
A security issue affects these releases of Ubuntu and its derivatives:
Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-2788, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-4565, CVE-2006-4568, CVE-2006-4571)
A bug was found in the script handler for automatic proxy configuration. A malicious proxy could send scripts which could execute arbitrary code with the user’s privileges. (CVE-2006-3808)
The NSS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge valid signatures without the need of the secret key. (CVE-2006-4340)
Georgi Guninski discovered that even with JavaScript disabled, a malicous email could still execute JavaScript when the message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. (CVE-2006-4570)
The problem can be corrected by updating your system to the following package versions:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system upgrade you need to restart Mozilla to effect the necessary changes.