CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
97.8%
CentOS Errata and Security Advisory CESA-2009:1185
SeaMonkey is an open source Web browser, email and newsgroup client, IRC
chat client, and HTML editor.
Moxie Marlinspike reported a heap overflow flaw in a regular expression
parser in the NSS library (provided by SeaMonkey) used to match common
names in certificates. A malicious website could present a
carefully-crafted certificate in such a way as to trigger the heap
overflow, leading to a crash or, possibly, arbitrary code execution with
the permissions of the user running SeaMonkey. (CVE-2009-2404)
Note: in order to exploit this issue without further user interaction, the
carefully-crafted certificate would need to be signed by a Certificate
Authority trusted by SeaMonkey, otherwise SeaMonkey presents the victim
with a warning that the certificate is untrusted. Only if the user then
accepts the certificate will the overflow take place.
All SeaMonkey users should upgrade to these updated packages, which contain
a backported patch to correct this issue. After installing the updated
packages, SeaMonkey must be restarted for the update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-July/078222.html
https://lists.centos.org/pipermail/centos-announce/2009-July/078223.html
Affected packages:
seamonkey
seamonkey-chat
seamonkey-devel
seamonkey-dom-inspector
seamonkey-js-debugger
seamonkey-mail
seamonkey-nspr
seamonkey-nspr-devel
seamonkey-nss
seamonkey-nss-devel
Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1185