Advisories MDVSA-2009:339: firefox

[paul]

Security issues were identified and fixed in firefox 3.0.x:

 

Multiple unspecified vulnerabilities in the browser engine in Mozilla

Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1,

and Thunderbird allow remote attackers to cause a denial of service

(memory corruption and application crash) or possibly execute arbitrary

code via unknown vectors (CVE-2009-3979).

 

Multiple unspecified vulnerabilities in the browser engine in Mozilla

Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird

allow remote attackers to cause a denial of service (memory corruption

and application crash) or possibly execute arbitrary code via unknown

vectors (CVE-2009-3980).

 

Unspecified vulnerability in the browser engine in Mozilla Firefox

before 3.0.16, SeaMonkey before 2.0.1, and Thunderbird allows

remote attackers to cause a denial of service (memory corruption and

application crash) or possibly execute arbitrary code via unknown

vectors (CVE-2009-3981).

 

Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey

before 2.0.1, allows remote attackers to send authenticated requests

to arbitrary applications by replaying the NTLM credentials of a

browser user (CVE-2009-3983).

 

Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey

before 2.0.1, allows remote attackers to spoof an SSL indicator for

an http URL or a file URL by setting document.location to an https

URL corresponding to a site that responds with a No Content (aka 204)

status code and an empty body (CVE-2009-3984).

 

Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey

before 2.0.1, allows remote attackers to associate spoofed content

with an invalid URL by setting document.location to this URL, and then

writing arbitrary web script or HTML to the associated blank document,

a related issue to CVE-2009-2654 (CVE-2009-3985).

 

Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey

before 2.0.1, allows remote attackers to execute arbitrary JavaScript

with chrome privileges by leveraging a reference to a chrome

window from a content window, related to the window.opener property

(CVE-2009-3986).

 

The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and

3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different

exception messages depending on whether the referenced COM object

is listed in the registry, which allows remote attackers to obtain

potentially sensitive information about installed software by making

multiple calls that specify the ProgID values of different COM objects

(CVE-2009-3987).

 

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

 

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.