New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix security issues.

Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2009-0352, CVE-2009-0353)

A flaw was discovered in the JavaScript engine. An attacker could bypass the same-origin policy in Firefox by utilizing a chrome XBL method and execute arbitrary JavaScript within the context of another website. (CVE-2009-0354)

A flaw was discovered in the browser engine when restoring closed tabs. If a user were tricked into restoring a tab to a malicious website with form input controls, an attacker could steal local files on the user's system. (CVE-2009-0355)

Wladimir Palant discovered that Firefox did not restrict access to cookies in HTTP response headers. If a user were tricked into opening a malicious web page, a remote attacker could view sensitive information. (CVE-2009-0357)

Paul Nel discovered that Firefox did not honor certain Cache-Control HTTP directives. A local attacker could exploit this to view private data in improperly cached pages of another user. (CVE-2009-0358).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-0352, CVE-2009-0353, CVE-2009-0356)

Several flaws were found in the way malformed content was processed. A website containing specially crafted content could, potentially, trick a Firefox user into surrendering sensitive information.
(CVE-2009-0354, CVE-2009-0355)

A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie.
(CVE-2009-0357)

A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached.
(CVE-2009-0358)

After installing the update, Firefox must be restarted for the changes to take effect.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey.
(CVE-2009-0352, CVE-2009-0353)

A flaw was found in the way malformed content was processed. A website containing specially crafted content could, potentially, trick a SeaMonkey user into uploading a local file. (CVE-2009-0355)

A flaw was found in the way SeaMonkey treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie.
(CVE-2009-0357)

After installing the update, SeaMonkey must be restarted for the changes to take effect.

From Red Hat Security Advisory 2009:0257 :

Updated SeaMonkey packages that fix security issues are now available for Red Hat Enterprise Linux 2.1, 3, and 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey.
(CVE-2009-0352, CVE-2009-0353)

A flaw was found in the way malformed content was processed. A website containing specially crafted content could, potentially, trick a SeaMonkey user into uploading a local file. (CVE-2009-0355)

A flaw was found in the way SeaMonkey treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie.
(CVE-2009-0357)

All SeaMonkey users should upgrade to these updated packages, which contain backported patches that correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect.

Versions of Firefox 3.x prior to 3.0.6 are affected by the following security issues : 

 - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)
 - A chrome XBL method can be used in conjunction with 'window.eval' to execute arbitrary JavaScript within the context of another website, violating the same origin policy. (MFSA 2009-02)
 - A form input control's type could be changed during the restoration of a closed tab to the path of a local file whose location was known to the attacker. (MFSA 2009-03)
 - An attacker may be able to inject arbitrary code into a chrome document and then execute it with chrome privileges if he can trick a user into downloading a malicious HTML file and a .desktop shortcut file. (MFSA 2009-04)
 - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs.  (MFSA 2009-05)
 - The 'Cache-Control:  no-store' and 'Cache-Control:  no-cache' HTTP directives for HTTPS pages are ignored by Firefox 3, which could lead to exposure of sensitive information. (MFSA 2009-06).

Versions of Mozilla Thunderbird prior to 2.0.0.21 are affected by the following vulnerabilities :

 - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)
 - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions. (MFSA 2009-07)
 - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)
 - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

The installed version of SeaMonkey is earlier than 1.1.15.  Such versions are potentially affected by the following security issues : 

  - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)

  - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs. (MFSA 2009-05)

  - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions. (MFSA 2009-07)

  - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)

  - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

The installed version of Firefox is earlier than 3.0.6.  Such versions are potentially affected by the following security issues : 

  - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)

  - A chrome XBL method can be used in conjunction with 'window.eval' to execute arbitrary JavaScript within the context of another website, violating the same origin policy. (MFSA 2009-02)

  - A form input control's type could be changed during the restoration of a closed tab to the path of a local file whose location was known to the attacker. (MFSA 2009-03)

  - An attacker may be able to inject arbitrary code into a chrome document and then execute it with chrome privileges if he can trick a user into downloading a malicious HTML file and a .desktop shortcut file. (MFSA 2009-04)

  - Cookies marked HTTPOnly are readable by JavaScript via the 'XMLHttpRequest.getResponseHeader' and 'XMLHttpRequest.getAllResponseHeaders' APIs.  (MFSA 2009-05)

  - The 'Cache-Control:  no-store' and 'Cache-Control:  no-cache' HTTP directives for HTTPS pages are ignored by Firefox 3, which could lead to exposure of sensitive information. (MFSA 2009-06).

The installed version of Thunderbird is earlier than 2.0.0.21.  Such versions are potentially affected by the following security issues : 

  - There are several stability bugs in the browser engine that may lead to crashes with evidence of memory corruption. (MFSA 2009-01)

  - By exploiting stability bugs in the browser engine, it might be possible for an attacker to execute arbitrary code on the remote system under certain conditions.  (MFSA 2009-07)

  - It may be possible for a website to read arbitrary XML data from another domain by using nsIRDFService and a cross-domain redirect. (MFSA 2009-09)

  - Vulnerabilities in the PNG libraries used by Mozilla could be exploited to execute arbitrary code on the remote system. (MFSA 2009-10)

ID	Name	Product	Family	Published	Updated	Severity
36010	Slackware 11.0 / 12.0 / 12.1 / 12.2 / current : seamonkey (SSA:2009-083-02)	Nessus	Slackware Local Security Checks	3/25/2009	1/14/2021	critical
37217	Ubuntu 8.04 LTS / 8.10 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-717-1)	Nessus	Ubuntu Local Security Checks	4/23/2009	1/19/2021	critical
60527	Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	8/1/2012	1/14/2021	critical
60528	Scientific Linux Security Update : seamonkey on SL3.x, SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	8/1/2012	1/14/2021	critical
67796	Oracle Linux 3 / 4 : seamonkey (ELSA-2009-0257)	Nessus	Oracle Linux Local Security Checks	7/12/2013	1/14/2021	critical
4922	Mozilla Firefox 3.x < 3.0.6 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	2/4/2009	3/6/2019	medium
4964	Mozilla Thunderbird < 2.0.0.21 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	3/23/2009	3/6/2019	medium
4965	SeaMonkey < 1.1.15 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	3/23/2009	3/6/2019	medium
800752	Firefox < 3.0.6 Multiple Vulnerabilities	Log Correlation Engine	Web Clients			high
801212	Mozilla Thunderbird < 2.0.0.21 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients			high
800869	SeaMonkey < 1.1.15 Multiple Vulnerabilities	Log Correlation Engine	Web Clients			high

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

medium

medium

medium

high

high

high