Ubuntu Security Notice USN-398-1

2nd January, 2007

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 6.10

Details

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG. (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)

Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript. (CVE-2006-6503,
CVE-2006-6507)

Jared Breland discovered that the "Feed Preview" feature could leak
referrer information to remote servers. (CVE-2006-6506)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 6.10:

firefox 2.0.0.1+0dfsg-0ubuntu0.6.10

libnspr4 2.0.0.1+0dfsg-0ubuntu0.6.10

libnss-dev 2.0.0.1+0dfsg-0ubuntu0.6.10

libnss3 2.0.0.1+0dfsg-0ubuntu0.6.10

libnspr-dev 2.0.0.1+0dfsg-0ubuntu0.6.10

firefox-dev 2.0.0.1+0dfsg-0ubuntu0.6.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

References

CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6506, CVE-2006-6507