Solution
Please Install the Updated Packages.
Insight
SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor.
Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library (provided by SeaMonkey) used to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running SeaMonkey. (CVE-2009-2404)
Note: in order to exploit this issue without further user interaction, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by SeaMonkey, otherwise SeaMonkey presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place.
All SeaMonkey users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, SeaMonkey must be restarted for the update to take effect.
Affected
seamonkey on CentOS 3
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2009-2404 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities