RHSA-2009:1432: Critical: seamonkey security update
First published: Wed Sep 09 2009(Updated: )
SeaMonkey is an open source Web browser, email and newsgroup client, IRC<br>chat client, and HTML editor.<br>Several flaws were found in the processing of malformed web content. A web<br>page containing malicious content could cause SeaMonkey to crash or,<br>potentially, execute arbitrary code with the privileges of the user running<br>SeaMonkey. (CVE-2009-3072, CVE-2009-3075)<br>A use-after-free flaw was found in SeaMonkey. An attacker could use this<br>flaw to crash SeaMonkey or, potentially, execute arbitrary code with the<br>privileges of the user running SeaMonkey. (CVE-2009-3077)<br>Dan Kaminsky discovered flaws in the way browsers such as SeaMonkey handle<br>NULL characters in a certificate. If an attacker is able to get a<br>carefully-crafted certificate signed by a Certificate Authority trusted by<br>SeaMonkey, the attacker could use the certificate during a<br>man-in-the-middle attack and potentially confuse SeaMonkey into accepting<br>it by mistake. (CVE-2009-2408)<br>Descriptions in the dialogs when adding and removing PKCS #11 modules were<br>not informative. An attacker able to trick a user into installing a<br>malicious PKCS #11 module could use this flaw to install their own<br>Certificate Authority certificates on a user's machine, making it possible<br>to trick the user into believing they are viewing a trusted site or,<br>potentially, execute arbitrary code with the privileges of the user running<br>SeaMonkey. (CVE-2009-3076)<br>A flaw was found in the way SeaMonkey displays the address bar when<br>window.open() is called in a certain way. An attacker could use this flaw<br>to conceal a malicious URL, possibly tricking a user into believing they<br>are viewing a trusted site. (CVE-2009-2654)<br>Dan Kaminsky found that browsers still accept certificates with MD2 hash<br>signatures, even though MD2 is no longer considered a cryptographically<br>strong algorithm. This could make it easier for an attacker to create a<br>malicious certificate that would be treated as trusted by a browser. NSS<br>(provided by SeaMonkey) now disables the use of MD2 and MD4 algorithms<br>inside signatures by default. (CVE-2009-2409)<br>All SeaMonkey users should upgrade to these updated packages, which correct<br>these issues. After installing the update, SeaMonkey must be restarted for<br>the changes to take effect.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510197
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510251
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521311
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521688
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521691
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521692
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521693
- http://www.redhat.com/security/updates/classification/#critical
- https://access.redhat.com/errata/RHSA-2009:1432 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2009:1432
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness