CVE-2006-4567

Description

Mozilla Firefox before 1.5.0.7 and Thunderbird before 1.5.0.7 makes it easy for users to accept self-signed certificates for the auto-update mechanism, which might allow remote user-assisted attackers to use DNS spoofing to trick users into visiting a malicious site and accepting a malicious certificate for the Mozilla update site, which can then be used to install arbitrary code on the next update.

How to fix CVE-2006-4567

To remediate CVE-2006-4567, upgrade the affected package to a fixed version below.

• Debian/thunderbird—upgrade to 1.5.0.7-1 or later

Is CVE-2006-4567 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.5.0.7-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2006-4567