Mozilla Seamonkey was updated to version 2.4, fixing
various bugs and security issues.

MFSA 2011-36: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.

In general these flaws cannot be exploited through email in
the Thunderbird and SeaMonkey products because scripting is
disabled, but are potentially a risk in browser or
browser-like contexts in those products.

Benjamin Smedberg, Bob Clary, and Jesse Ruderman reported
memory safety problems that affected Firefox 3.6 and
Firefox 6. (CVE-2011-2995)

Bob Clary, Andrew McCreight, Andreas Gal, Gary Kwong, Igor
Bukanov, Jason Orendorff, Jesse Ruderman, and Marcia Knous
reported memory safety problems that affected Firefox 6,
fixed in Firefox 7. (CVE-2011-2997)

MFSA 2011-38: Mozilla developer Boris Zbarsky reported that
a frame named "location" could shadow the window.location
object unless a script in a page grabbed a reference to the
true object before the frame was created. Because some
plugins use the value of window.location to determine the
page origin this could fool the plugin into granting the
plugin content access to another site or the local file
system in violation of the Same Origin Policy. This flaw
allows circumvention of the fix added for MFSA 2010-10.
(CVE-2011-2999)

MFSA 2011-39: Ian Graham of Citrix Online reported that
when multiple Location headers were present in a redirect
response Mozilla behavior differed from other browsers:
Mozilla would use the second Location header while Chrome
and Internet Explorer would use the first. Two copies of
this header with different values could be a symptom of a
CRLF injection attack against a vulnerable server. Most
commonly it is the Location header itself that is
vulnerable to the response splitting and therefore the copy
preferred by Mozilla is more likely to be the malicious
one. It is possible, however, that the first copy was the
injected one depending on the nature of the server
vulnerability.

The Mozilla browser engine has been changed to treat two
copies of this header with different values as an error
condition. The same has been done with the headers
Content-Length and Content-Disposition. (CVE-2011-3000)

MFSA 2011-40: Mariusz Mlynski reported that if you could
convince a user to hold down the Enter key--as part of a
game or test, perhaps--a malicious page could pop up a
download dialog where the held key would then activate the
default Open action. For some file types this would be
merely annoying (the equivalent of a pop-up) but other file
types have powerful scripting capabilities. And this would
provide an avenue for an attacker to exploit a
vulnerability in applications not normally exposed to
potentially hostile internet content.

Mariusz also reported a similar flaw with manual plugin
installation using the PLUGINSPAGE attribute. It was
possible to create an internal error that suppressed a
confirmation dialog, such that holding enter would lead to
the installation of an arbitrary add-on. (This variant did
not affect Firefox 3.6)

Holding enter allows arbitrary code execution due to
Download Manager (CVE-2011-2372)

Holding enter allows arbitrary extension installation
(CVE-2011-3001)

MFSA 2011-41: Michael Jordon of Context IS reported that in
the ANGLE library used by WebGL the return value from
GrowAtomTable() was not checked for errors. If an attacker
could cause requests that exceeded the available memeory
those would fail and potentially lead to a buffer overrun
as subsequent code wrote into the non-allocated space.
(CVE-2011-3002)

Ben Hawkes of the Google Security Team reported a WebGL
test case that demonstrated an out of bounds write after an
allocation failed. (CVE-2011-3003)

MFSA 2011-42: Security researcher Aki Helin reported a
potentially exploitable crash in the YARR regular
expression library used by JavaScript. (CVE-2011-3232)

MFSA 2011-43: David Rees reported that the
JSSubScriptLoader (a feature used by some add-ons) was
"unwrapping" XPCNativeWrappers when they were used as the
scope parameter to loadSubScript(). Without the protection
of the wrappers the add-on could be vulnerable to privilege
escalation attacks from malicious web content. Whether any
given add-on were vulnerable would depend on how the add-on
used the feature and whether it interacted directly with
web content, but we did find at least one vulnerable add-on
and presumer there are more. (CVE-2011-3004)

The unwrapping behavior was a change introduced during
Firefox 4 development. Firefox 3.6 and earlier versions are
not affected.

MFSA 2011-44: sczimmer reported that Firefox crashed when
loading a particular .ogg file. This was due to a
use-after-free condition and could potentially be exploited
to install malware. (CVE-2011-3005)

This vulnerability does not affect Firefox 3.6 or earlier.

MFSA 2011-45: University of California, Davis researchers
Liang Cai and Hao Chen presented a paper at the 2011 USENIX
HotSec workshop on inferring keystrokes from device motion
data on mobile devices. Web pages can now receive data
similar to the apps studied in that paper and likely
present a similar risk. We have decided to limit motion
data events to the currently-active tab to prevent the
possibility of background tabs attempting to decipher
keystrokes the user is entering into the foreground tab.