| Description: | Summary:
The remote host is missing an update to the system
as announced in the referenced advisory.
Vulnerability Insight:
The following packages are affected:
firefox linux-firefox-devel firefox3
linux-firefox firefox35 thunderbird
linux-thunderbird seamonkey linux-seamonkey
CVE-2009-2404
Heap-based buffer overflow in a regular-expression parser in Mozilla
Network Security Services (NSS) before 3.12.3, as used in Firefox,
Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger
(AIM), allows remote SSL servers to cause a denial of service
(application crash) or possibly execute arbitrary code via a long
domain name in the subject's Common Name (CN) field of an X.509
certificate, related to the cert_TestHostName function.
CVE-2009-2408
Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly
handle a '\0' character in a domain name in the subject's Common Name
(CN) field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority.
CVE-2009-2454
Cross-site scripting (XSS) vulnerability in Citrix Web Interface 4.6,
5.0, and 5.0.1 allows remote attackers to inject arbitrary web script
or HTML via unspecified vectors.
CVE-2009-2470
Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote
SOCKS5 proxy servers to cause a denial of service (data stream
corruption) via a long domain name in a reply.
Solution:
Update your system with the appropriate patches or
software upgrades.
CVSS Score:
9.3
CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
