FreeBSD Ports: firefox, linux-firefox-devel

The remote host is missing an update to the system as announced in the referenced advisory.

The following packages are affected: firefox linux-firefox-devel firefox3 linux-firefox firefox35 thunderbird linux-thunderbird seamonkey linux-seamonkey CVE-2009-2404 Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function. CVE-2009-2408 Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVE-2009-2454 Cross-site scripting (XSS) vulnerability in Citrix Web Interface 4.6, 5.0, and 5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2009-2470 Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply.

Update your system with the appropriate patches or software upgrades. http://www.mozilla.org/security/announce/2009/mfsa2009-38.html http://www.mozilla.org/security/announce/2009/mfsa2009-42.html http://www.mozilla.org/security/announce/2009/mfsa2009-43.html http://www.mozilla.org/security/announce/2009/mfsa2009-44.html http://www.mozilla.org/security/announce/2009/mfsa2009-45.html http://www.mozilla.org/security/announce/2009/mfsa2009-46.html http://www.vuxml.org/freebsd/49e8f2ee-8147-11de-a994-0030843d3802.html