CVE-2006-5462

Description

Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340.

Affected products

• Mozilla / Firefox1.5 – 1.5
• Mozilla / Firefox1.5 – 1.5
• Mozilla / Firefox1.5 – 1.5
• Mozilla / Firefox1.5.0.1 – 1.5.0.1
• Mozilla / Firefox1.5.0.2 – 1.5.0.2
• Mozilla / Firefox1.5.0.3 – 1.5.0.3
• Mozilla / Firefox1.5.0.4 – 1.5.0.4
• Mozilla / Firefox1.5.0.5 – 1.5.0.5
• Mozilla / Firefox1.5.0.6 – 1.5.0.6
• Mozilla / Firefox1.5.0.7 – 1.5.0.7
• Mozilla / Network Security Services3.11.3 – 3.11.3
• Mozilla / seamonkey1.0 – 1.0
• Mozilla / seamonkey1.0 – 1.0
• Mozilla / seamonkey1.0 – 1.0
• Mozilla / seamonkey1.0 – 1.0
• Mozilla / seamonkey1.0.1 – 1.0.1
• Mozilla / seamonkey1.0.2 – 1.0.2
• Mozilla / seamonkey1.0.3 – 1.0.3
• Mozilla / seamonkey1.0.4 – 1.0.4
• Mozilla / seamonkey1.0.5 – 1.0.5
• Mozilla / Thunderbird1.5 – 1.5
• Mozilla / Thunderbird1.5 – 1.5
• Mozilla / Thunderbird1.5.0.1 – 1.5.0.1
• Mozilla / Thunderbird1.5.0.2 – 1.5.0.2
• Mozilla / Thunderbird1.5.0.3 – 1.5.0.3
• Mozilla / Thunderbird1.5.0.4 – 1.5.0.4
• Mozilla / Thunderbird1.5.0.6 – 1.5.0.6
• Mozilla / Thunderbird1.5.0.7 – 1.5.0.7

References

• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2006/3748
• VENDOR_ADVISORYhttp://secunia.com/advisories/23883
• VENDOR_ADVISORYhttp://secunia.com/advisories/23235
• MISChttp://security.gentoo.org/glsa/glsa-200612-08.xml
• VENDOR_ADVISORYhttp://secunia.com/advisories/23013
• MISChttp://support.avaya.com/elmodocs2/security/ASA-2006-246.htm
• VENDOR_ADVISORYhttp://secunia.com/advisories/22770
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2006/4387
• VENDOR_ADVISORYhttp://www.debian.org/security/2006/dsa-1225
• MISChttp://securitytracker.com/id?1017180
• VENDOR_ADVISORYhttp://secunia.com/advisories/23009
• MISChttps://bugzilla.mozilla.org/show_bug.cgi?id=356215
• MISChttp://www.us-cert.gov/cas/techalerts/TA06-312A.html
• VENDOR_ADVISORYhttp://www.debian.org/security/2006/dsa-1227
• VENDOR_ADVISORYhttp://secunia.com/advisories/22980
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2007/0293
• MISChttp://rhn.redhat.com/errata/RHSA-2006-0733.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/24711
• VENDOR_ADVISORYhttp://secunia.com/advisories/23263
• VENDOR_ADVISORYhttp://secunia.com/advisories/22763
• VENDOR_ADVISORYhttp://secunia.com/advisories/22965
• VENDOR_ADVISORYhttp://www.ubuntu.com/usn/usn-382-1
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/0083
• MISChttp://rhn.redhat.com/errata/RHSA-2006-0735.html
• VENDOR_ADVISORYftp://patches.sgi.com/support/free/security/advisories/20061101-01-P
• MISChttp://securitytracker.com/id?1017181
• VENDOR_ADVISORYhttp://www.novell.com/linux/security/advisories/2006_68_mozilla.html
• MISChttp://security.gentoo.org/glsa/glsa-200612-07.xml
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2007/1198
• VENDOR_ADVISORYhttp://secunia.com/advisories/23297
• VENDOR_ADVISORYhttp://secunia.com/advisories/22727
• VENDOR_ADVISORYhttp://secunia.com/advisories/22815
• MISChttp://rhn.redhat.com/errata/RHSA-2006-0734.html
• MISChttp://www.kb.cert.org/vuls/id/335392
• MISChttp://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742
• MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/30098
• VENDOR_ADVISORYhttp://secunia.com/advisories/22737
• VENDOR_ADVISORYhttp://secunia.com/advisories/22929
• VENDOR_ADVISORYhttp://secunia.com/advisories/23202
• MISChttp://security.gentoo.org/glsa/glsa-200612-06.xml
• MISChttp://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:206
• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10478
• VENDOR_ADVISORYhttp://secunia.com/advisories/23197
• VENDOR_ADVISORYhttp://www.debian.org/security/2006/dsa-1224
• VENDOR_ADVISORYhttp://secunia.com/advisories/22066
• MISChttp://www.mozilla.org/security/announce/2006/mfsa2006-66.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/22817
• VENDOR_ADVISORYhttp://secunia.com/advisories/22722
• MISChttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102781-1
• MISChttp://www.mozilla.org/security/announce/2006/mfsa2006-60.html
• MISChttp://securitytracker.com/id?1017182
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:205
• VENDOR_ADVISORYhttp://secunia.com/advisories/23287
• VENDOR_ADVISORYhttp://www.ubuntu.com/usn/usn-381-1