CVE-2006-4340

NameCVE-2006-4340
DescriptionMozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1191-1, DSA-1192-1, DSA-1210
NVD severitymedium (attack range: remote)
Debian/oldstablenot known to be vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot known to be vulnerable.
Debian/unstablenot known to be vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xulrunner (PTS)wheezy, wheezy (security)24.8.1esr-2~deb7u1fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)1.5.dfsg+1.5.0.7-1high
mozillasource(unstable)(unfixed)high
mozillasourcesarge2:1.7.8-1sarge7.3.1mediumDSA-1192-1
mozilla-firefoxsourcesarge1.0.4-2sarge12mediumDSA-1210
mozilla-thunderbirdsourcesarge1.0.2-2.sarge1.0.8c.1mediumDSA-1191-1
thunderbirdsource(unstable)1.5.0.7-1high
xulrunnersource(unstable)1.8.0.7-1high

Notes

MFSA-2006-60, this is the similar to CVE-2006-4339

Search for package or bug name: Reporting problems