Bug 200530 - CVE-2006-3801, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3811, CVE-2006-3812: major (public) security flaws fixed in firefox
CVE-2006-3801, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CV...
Product: Fedora Legacy
Classification: Retired
Component: firefox (Show other bugs)
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Christopher Aillon
: Security
Depends On: 200357
  Show dependency treegraph
Reported: 2006-07-28 10:22 EDT by Matthew Miller
Modified: 2008-08-02 19:40 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-02 06:23:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matthew Miller 2006-07-28 10:22:25 EDT
+++ This bug was initially created as a clone of Bug #200357 +++

Description of problem: Firefox and earlier has serious security
flaws, patched in


From the link above, I think the following also affect 1.0.8 in FC4:

CVE-2006-3805 : remote code execution via javascript.
CVE-2006-3806 : ditto.
CVE-2006-3807 : looks like a very serious privledge escalation bug for 
CVE-2006-3808 : malicious proxy can execute code with privs it shouldn't have;
                note that a malicious proxy can do all sorts of bad things
CVE-2006-3809 : privilege escalation of scripts; I don't understand the script
                security model enough personally to fully evaluate the impact
                of this without looking into it. sounds potentially serious.
CVE-2006-3811 : "several" crashes with memory corruption; potential arbitrary
                code execution
CVE-2006-3812 : scripts in chrome run with full privledge. no known automatic
                exploit, but may make tricking users easier.

-- Additional comment from mattdm@mattdm.org on 2006-07-28 00:07 EST --
Oh, apparently also CVE-2006-3804, but that's apparently just a denial of service.

Christopher Aillon -- there was some trouble releasing a timely update to
Firefox Do you anticipate needing some extra help for this as well?
Could you at least take a few seconds to let us know the status? Thanks!
Comment 1 Matthew Miller 2006-08-04 15:35:35 EDT
Is this likely to be resolved by Monday? I don't see anything in updates/testing.
Comment 2 Matthew Miller 2006-08-07 13:13:29 EDT
Well, here we go with another critical and urgent Firefox update involving
remotely executable code where the only public response from the Red Hat
engineers is stony silence.

This is frustrating.

Since FC4 is now supported by Legacy, moving there.
Comment 3 Matěj Cepl 2007-05-30 19:16:58 EDT
What to do with this bug now when Fedora Legacy shutdown? Could you close it please?

Note You need to log in before you can comment on or make changes to this bug.