CVE-2007-0009: Buffer Overflow
First published: Mon Feb 26 2007(Updated: )
Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | >=1.5<1.5.0.10 | |
| Firefox | >=2.0<2.0.0.2 | |
| Mozilla NSS ESR | <3.11.5 | |
| Mozilla SeaMonkey | <1.0.8 | |
| Thunderbird | <1.5.0.10 | |
| Debian | =3.1 | |
| Debian | =4.0 | |
| Ubuntu | =6.06 | |
| Ubuntu | =6.10 | |
| Ubuntu | =5.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.mozilla.org/security/announce/2007/mfsa2007-06.html
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=483
- https://bugzilla.mozilla.org/show_bug.cgi?id=364323
- https://issues.rpath.com/browse/RPL-1081
- https://issues.rpath.com/browse/RPL-1103
- http://fedoranews.org/cms/node/2709
- http://fedoranews.org/cms/node/2711
- http://security.gentoo.org/glsa/glsa-200703-18.xml
- http://www.gentoo.org/security/en/glsa/glsa-200703-22.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:052
- http://www.redhat.com/support/errata/RHSA-2007-0079.html
- http://rhn.redhat.com/errata/RHSA-2007-0077.html
- http://www.redhat.com/support/errata/RHSA-2007-0078.html
- http://www.redhat.com/support/errata/RHSA-2007-0097.html
- http://www.redhat.com/support/errata/RHSA-2007-0108.html
- http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.html
- http://www.ubuntu.com/usn/usn-428-1
- http://www.ubuntu.com/usn/usn-431-1
- http://www.kb.cert.org/vuls/id/592796
- http://www.osvdb.org/32106
- http://www.securitytracker.com/id?1017696
- http://secunia.com/advisories/24253
- http://secunia.com/advisories/24277
- http://secunia.com/advisories/24287
- http://secunia.com/advisories/24290
- http://secunia.com/advisories/24333
- http://secunia.com/advisories/24343
- http://secunia.com/advisories/24293
- http://secunia.com/advisories/24395
- http://secunia.com/advisories/24384
- http://secunia.com/advisories/24389
- http://secunia.com/advisories/24410
- http://secunia.com/advisories/24522
- http://secunia.com/advisories/24562
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102856-1
- http://secunia.com/advisories/24703
- http://secunia.com/advisories/24650
- http://www.debian.org/security/2007/dsa-1336
- http://fedoranews.org/cms/node/2747
- http://fedoranews.org/cms/node/2749
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:050
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374851
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.363947
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102945-1
- http://www.novell.com/linux/security/advisories/2007_22_mozilla.html
- http://secunia.com/advisories/25597
- http://secunia.com/advisories/24406
- http://secunia.com/advisories/24455
- http://secunia.com/advisories/24456
- http://secunia.com/advisories/24457
- http://secunia.com/advisories/24342
- http://secunia.com/advisories/25588
- http://www.vupen.com/english/advisories/2007/2141
- http://www.vupen.com/english/advisories/2007/0718
- http://www.vupen.com/english/advisories/2007/0719
- http://www.vupen.com/english/advisories/2007/1165
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.securityfocus.com/bid/64758
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32663
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10174
- http://www.securityfocus.com/archive/1/461809/100/0/threaded
- http://www.securityfocus.com/archive/1/461336/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-0009?
CVE-2007-0009 has been rated as critical due to the potential for remote code execution on affected systems.
How do I fix CVE-2007-0009?
To fix CVE-2007-0009, upgrade to Mozilla NSS version 3.11.5 or later and update affected applications such as Firefox and Thunderbird to the latest versions.
Which products are affected by CVE-2007-0009?
CVE-2007-0009 affects Mozilla Firefox before 1.5.0.10, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain versions of Mozilla NSS prior to 3.11.5.
Can CVE-2007-0009 be exploited remotely?
Yes, CVE-2007-0009 can be exploited remotely by an attacker to execute arbitrary code on the affected systems.
What type of vulnerability is CVE-2007-0009?
CVE-2007-0009 is characterized as a stack-based buffer overflow vulnerability.
- agent/references
- agent/type
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/weakness
- collector/nvd-historical
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- vendor/mozilla
- canonical/firefox
- version/firefox/1.5
- version/firefox/2.0
- canonical/mozilla nss esr
- canonical/mozilla seamonkey
- canonical/thunderbird
- vendor/debian
- canonical/debian
- version/debian/3.1
- version/debian/4.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/6.06
- version/ubuntu/6.10
- version/ubuntu/5.10