Security Advisories for SeaMonkey

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in SeaMonkey 2.38

• 2015-114 Information disclosure via the High Resolution Time API
• 2015-113 Memory safety errors in libGLES in the ANGLE graphics library
• 2015-112 Vulnerabilities found through code inspection
• 2015-111 Errors in the handling of CORS preflight request headers
• 2015-110 Dragging and dropping images exposes final URL after redirects
• 2015-109 JavaScript immutable property enforcement can be bypassed
• 2015-108 Scripted proxies can access inner window
• 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
• 2015-106 Use-after-free while manipulating HTML media content
• 2015-105 Buffer overflow while decoding WebM video
• 2015-104 Use-after-free with shared workers and IndexedDB
• 2015-103 URL spoofing in reader mode
• 2015-102 Crash when using debugger with SavedStacks in JavaScript
• 2015-101 Buffer overflow in libvpx while parsing vp9 format video
• 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
• 2015-97 Memory leak in mozTCPSocket to servers
• 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
• 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
• 2015-86 Feed protocol with POST bypasses mixed content protections
• 2015-81 Use-after-free in MediaStream playback
• 2015-68 OS X crash reports may contain entered key press information

# Fixed in SeaMonkey 2.35

• 2015-95 Add-on notification bypass through data URLs
• 2015-94 Use-after-free when resizing canvas element during restyling
• 2015-93 Integer overflows in libstagefright while processing MP4 video metadata
• 2015-92 Use-after-free in XMLHttpRequest with shared workers
• 2015-90 Vulnerabilities found through code inspection
• 2015-89 Buffer overflows on Libvpx when decoding WebM video
• 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
• 2015-87 Crash when using shared memory in JavaScript
• 2015-85 Out-of-bounds write with Updater and malicious MAR file
• 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
• 2015-83 Overflow issues in libstagefright
• 2015-82 Redefinition of non-configurable JavaScript object properties
• 2015-80 Out-of-bounds read with malformed MP3 file
• 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
• 2015-71 NSS incorrectly permits skipping of ServerKeyExchange
• 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
• 2015-67 Key pinning is ignored when overridable errors are encountered
• 2015-66 Vulnerabilities found through code inspection
• 2015-65 Use-after-free in workers while using XMLHttpRequest
• 2015-64 ECDSA signature validation fails to handle some signatures correctly
• 2015-63 Use-after-free in Content Policy due to microtask execution error
• 2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
• 2015-61 Type confusion in Indexed Database Manager
• 2015-60 Local files or privileged URLs in pages can be opened into new tabs
• 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)
• 2015-58 Mozilla Windows updater can be run outside of application directory
• 2015-57 Privilege escalation through IPC channel messages
• 2015-56 Untrusted site hosting trusted page can intercept webchannel responses
• 2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata
• 2015-54 Buffer overflow when parsing compressed XML
• 2015-53 Use-after-free due to Media Decoder Thread creation during shutdown
• 2015-51 Use-after-free during text processing with vertical text enabled
• 2015-50 Out-of-bounds read and write in asm.js validation
• 2015-49 Referrer policy ignored when links opened by middle-click and context menu
• 2015-48 Buffer overflow with SVG content and CSS
• 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
• 2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
• 2015-45 Memory corruption during failed plugin initialization
• 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header
• 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
• 2015-40 Same-origin bypass through anchor navigation
• 2015-39 Use-after-free due to type confusion flaws
• 2015-38 Memory corruption crashes in Off Main Thread Compositing
• 2015-37 CORS requests should not follow 30x redirections after preflight
• 2015-36 Incorrect memory management for simple-type arrays in WebRTC
• 2015-35 Cursor clickjacking with flash and images
• 2015-34 Out of bounds read in QCMS library
• 2015-33 resource:// documents can load privileged pages
• 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
• 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

# Fixed in SeaMonkey 2.33.1

• 2015-29 Code execution through incorrect JavaScript bounds checking elimination
• 2015-28 Privilege escalation through SVG navigation

# Fixed in SeaMonkey 2.33

• 2015-27 Caja Compiler JavaScript sandbox bypass
• 2015-25 Local files or privileged URLs in pages can be opened into new tabs
• 2015-24 Reading of local files through manipulation of form autocomplete
• 2015-22 Crash using DrawTarget in Cairo graphics library
• 2015-21 Buffer underflow during MP3 playback
• 2015-20 Buffer overflow during CSS restyling
• 2015-19 Out-of-bounds read and write while rendering SVG content
• 2015-18 Double-free when using non-default memory allocators with a zero-length XHR
• 2015-17 Buffer overflow in libstagefright during MP4 video playback
• 2015-16 Use-after-free in IndexedDB
• 2015-14 Malicious WebGL content crash when writing strings
• 2015-13 Appended period to hostnames can bypass HPKP and HSTS protections
• 2015-12 Invoking Mozilla updater will load locally stored DLL files
• 2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

# Fixed in SeaMonkey 2.32

• 2015-09 XrayWrapper bypass through DOM objects
• 2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
• 2015-06 Read-after-free in WebRTC
• 2015-05 Read of uninitialized memory in Web Audio
• 2015-04 Cookie injection through Proxy Authenticate responses
• 2015-03 sendBeacon requests lack an Origin header
• 2015-02 Uninitialized memory use during bitmap rendering
• 2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

# Fixed in SeaMonkey 2.31

• 2014-91 Privileged access to security wrapped protected objects
• 2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
• 2014-88 Buffer overflow while parsing media content
• 2014-87 Use-after-free during HTML5 parsing
• 2014-86 CSP leaks redirect data via violation reports
• 2014-85 XMLHttpRequest crashes with some input streams
• 2014-84 XBL bindings accessible via improper CSS declarations
• 2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

# Fixed in SeaMonkey 2.30

• 2014-81 Inconsistent video sharing within iframe
• 2014-80 Key pinning bypasses
• 2014-79 Use-after-free interacting with text directionality
• 2014-78 Further uninitialized memory use during GIF rendering
• 2014-77 Out-of-bounds write with WebM video
• 2014-76 Web Audio memory corruption issues with custom waveforms
• 2014-75 Buffer overflow during CSS manipulation
• 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

# Fixed in SeaMonkey 2.29.1

• 2014-73 RSA Signature Forgery in NSS

# Fixed in SeaMonkey 2.29

• 2014-72 Use-after-free setting text directionality
• 2014-71 Profile directory file access through file: protocol
• 2014-70 Out-of-bounds read in Web Audio audio timeline
• 2014-69 Uninitialized memory use during GIF rendering
• 2014-68 Use-after-free during DOM interactions with SVG
• 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)

# Fixed in SeaMonkey 2.26.1

• 2014-54 Buffer overflow in Gamepad API
• 2014-53 Buffer overflow in Web Audio Speex resampler
• 2014-52 Use-after-free with SMIL Animation Controller
• 2014-51 Use-after-free in Event Listener Manager
• 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
• 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

# Fixed in SeaMonkey 2.26

• 2014-47 Debugger can bypass XrayWrappers with JavaScript
• 2014-46 Use-after-free in nsHostResolver
• 2014-45 Incorrect IDNA domain name matching for wildcard certificates
• 2014-44 Use-after-free in imgLoader while resizing images
• 2014-43 Cross-site scripting (XSS) using history navigations
• 2014-42 Privilege escalation through Web Notification API
• 2014-41 Out-of-bounds write in Cairo
• 2014-39 Use-after-free in the Text Track Manager for HTML video
• 2014-38 Buffer overflow when using non-XBL object as XBL
• 2014-37 Out of bounds read while decoding JPG images
• 2014-36 Web Audio memory corruption issues
• 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

# Fixed in SeaMonkey 2.25

• 2014-32 Out-of-bounds write through TypedArrayObject after neutering
• 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
• 2014-30 Use-after-free in TypeObject
• 2014-29 Privilege escalation using WebIDL-implemented APIs
• 2014-28 SVG filters information disclosure through feDisplacementMap
• 2014-27 Memory corruption in Cairo during PDF font rendering
• 2014-26 Information disclosure through polygon rendering in MathML
• 2014-23 Content Security Policy for data: documents not preserved by session restore
• 2014-22 WebGL content injection from one domain to rendering in another
• 2014-20 onbeforeunload and Javascript navigation DOS
• 2014-19 Spoofing attack on WebRTC permission prompt
• 2014-18 crypto.generateCRMFRequest does not validate type of key
• 2014-17 Out of bounds read during WAV file decoding
• 2014-16 Files extracted during updates are not always read only
• 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)

# Fixed in SeaMonkey 2.24

• 2014-13 Inconsistent JavaScript handling of access to Window objects
• 2014-12 NSS ticket handling issues
• 2014-11 Crash when using web workers with asm.js
• 2014-09 Cross-origin information leak through web workers
• 2014-08 Use-after-free with imgRequestProxy and image proccessing
• 2014-07 XSLT stylesheets treated as styles in Content Security Policy
• 2014-05 Information disclosure with *FromPoint on iframes
• 2014-04 Incorrect use of discarded images by RasterImage
• 2014-03 UI selection timeout missing on download prompts
• 2014-02 Clone protected content with XBL scopes
• 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

# Fixed in SeaMonkey 2.23

• 2013-117 Mis-issued ANSSI/DCSSI certificate
• 2013-116 JPEG information leak
• 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
• 2013-114 Use-after-free in synthetic mouse movement
• 2013-113 Trust settings for built-in roots ignored during EV certificate validation
• 2013-112 Linux clipboard information disclosure though selection paste
• 2013-111 Segmentation violation when replacing ordered list elements
• 2013-110 Potential overflow in JavaScript binary search algorithms
• 2013-109 Use-after-free during Table Editing
• 2013-108 Use-after-free in event listeners
• 2013-107 Sandbox restrictions not applied to nested object elements
• 2013-106 Character encoding cross-origin XSS attack
• 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

# Fixed in SeaMonkey 2.22.1

• 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities

# Fixed in SeaMonkey 2.22

• 2013-102 Use-after-free in HTML document templates
• 2013-101 Memory corruption in workers
• 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
• 2013-98 Use-after-free when updating offline cache
• 2013-97 Writing to cycle collected object during image decoding
• 2013-96 Improperly initialized memory and overflows in some JavaScript functions
• 2013-95 Access violation with XSLT and uninitialized data
• 2013-94 Spoofing addressbar though SELECT element
• 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

# Fixed in SeaMonkey 2.21

• 2013-92 GC hazard with default compartments and frame chain restoration
• 2013-91 User-defined properties on DOM proxies get the wrong "this" object
• 2013-90 Memory corruption involving scrolling
• 2013-89 Buffer overflow with multi-column, lists, and floats
• 2013-88 Compartment mismatch re-attaching XBL-backed nodes
• 2013-85 Uninitialized data in IonMonkey
• 2013-83 Mozilla Updater does not lock MAR file after signature verification
• 2013-82 Calling scope for new Javascript objects can lead to memory corruption
• 2013-81 Use-after-free with select element
• 2013-80 NativeKey continues handling key messages after widget is destroyed
• 2013-79 Use-after-free in Animation Manager during stylesheet cloning
• 2013-78 Integer overflow in ANGLE library
• 2013-77 Improper state in HTML5 Tree Builder with templates
• 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

# Fixed in SeaMonkey 2.20

• 2014-14 Script execution in HTML mail replies
• 2013-75 Local Java applets may read contents of local file system
• 2013-74 Firefox full and stub installer DLL hijacking
• 2013-73 Same-origin bypass with web workers and XMLHttpRequest
• 2013-72 Wrong principal used for validating URI for some Javascript components
• 2013-71 Further Privilege escalation through Mozilla Updater
• 2013-70 Bypass of XrayWrappers using XBL Scopes
• 2013-69 CRMF requests allow for code execution and XSS attacks
• 2013-68 Document URI misrepresentation and masquerading
• 2013-67 Crash during WAV audio file decoding
• 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
• 2013-65 Buffer underflow when generating CRMF requests
• 2013-64 Use after free mutating DOM during SetBody
• 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

# Fixed in SeaMonkey 2.19

• 2013-61 Homograph domain spoofing in .com, .net and .name
• 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
• 2013-58 X-Frame-Options ignored when using server push with multi-part responses
• 2013-57 Sandbox restrictions not applied to nested frame elements
• 2013-56 PreserveWrapper has inconsistent behavior
• 2013-55 SVG filters can lead to information disclosure
• 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
• 2013-53 Execution of unmapped memory through onreadystatechange event
• 2013-51 Privileged content access and execution via XBL
• 2013-50 Memory corruption found using Address Sanitizer
• 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

# Fixed in SeaMonkey 2.17

• 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
• 2013-39 Memory corruption while rendering grayscale PNG images
• 2013-38 Cross-site scripting (XSS) using timed history navigations
• 2013-37 Bypass of tab-modal dialog origin disclosure
• 2013-36 Bypass of SOW protections allows cloning of protected nodes
• 2013-35 WebGL crash with Mesa graphics driver on Linux
• 2013-34 Privilege escalation through Mozilla Updater
• 2013-31 Out-of-bounds write in Cairo library
• 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

# Fixed in SeaMonkey 2.16.1

• 2013-29 Use-after-free in HTML Editor

# Fixed in SeaMonkey 2.16

• 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
• 2013-27 Phishing on HTTPS connection through malicious proxy
• 2013-26 Use-after-free in nsImageLoadingContent
• 2013-25 Privacy leak in JavaScript Workers
• 2013-24 Web content bypass of COW and SOW security wrappers
• 2013-23 Wrapped WebIDL objects can be wrapped again
• 2013-22 Out-of-bounds read in image rendering
• 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

# Fixed in SeaMonkey 2.15

• 2013-20 Mis-issued TURKTRUST certificates
• 2013-19 Use-after-free in Javascript Proxy objects
• 2013-18 Use-after-free in Vibrate
• 2013-17 Use-after-free in ListenerManager
• 2013-16 Use-after-free in serializeToStream
• 2013-15 Privilege escalation through plugin objects
• 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
• 2013-13 Memory corruption in XBL with XML bindings containing SVG
• 2013-12 Buffer overflow in Javascript string concatenation
• 2013-11 Address space layout leaked in XBL objects
• 2013-10 Event manipulation in plugin handler to bypass same-origin policy
• 2013-09 Compartment mismatch with quickstubs returned values
• 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
• 2013-07 Crash due to handling of SSL on threads
• 2013-06 Touch events are shared across iframes
• 2013-05 Use-after-free when displaying table with many columns and column groups
• 2013-04 URL spoofing in addressbar during page loads
• 2013-03 Buffer Overflow in Canvas
• 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
• 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

# Fixed in SeaMonkey 2.14

• 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
• 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
• 2012-103 Frames can shadow top.location
• 2012-101 Improper character decoding in HZ-GB-2312 charset
• 2012-100 Improper security filtering for cross-origin wrappers
• 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
• 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
• 2012-96 Memory corruption in str_unescape
• 2012-94 Crash when combining SVG text on path with CSS
• 2012-93 evalInSanbox location context incorrectly applied
• 2012-92 Buffer overflow while rendering GIF images
• 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)

# Fixed in SeaMonkey 2.13.2

• 2012-90 Fixes for Location object issues
• 2012-67 Installer will launch incorrect executable following new installation

# Fixed in SeaMonkey 2.13.1

• 2012-89 defaultValue security checks not applied
• 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

# Fixed in SeaMonkey 2.13

• 2012-87 Use-after-free in the IME State Manager
• 2012-86 Heap memory corruption issues found using Address Sanitizer
• 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
• 2012-84 Spoofing and script injection through location.hash
• 2012-83 Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties
• 2012-82 top object and location property accessible by plugins
• 2012-81 GetProperty function can bypass security checks
• 2012-80 Crash with invalid cast when using instanceof operator
• 2012-79 DOS and crash with full screen and history navigation
• 2012-77 Some DOMWindowUtils methods bypass security checks
• 2012-76 Continued access to initial origin after setting document.domain
• 2012-75 select element persistance allows for attacks
• 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

# Fixed in SeaMonkey 2.12

• 2012-73 SPDY information disclosure
• 2012-70 Location object security checks bypassed by chrome code
• 2012-69 Incorrect site SSL certificate data display
• 2012-68 DOMParser loads linked resources in extensions when parsing text/html
• 2012-65 Out-of-bounds read in format-number in XSLT
• 2012-64 Graphite 2 memory corruption
• 2012-63 SVG buffer overflow and use-after-free issues
• 2012-62 WebGL use-after-free and memory corruption
• 2012-61 Memory corruption with bitmap format images with negative height
• 2012-59 Location object can be shadowed using Object.defineProperty
• 2012-58 Use-after-free issues found using Address Sanitizer
• 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

# Fixed in SeaMonkey 2.11

• 2012-56 Code execution through javascript: URLs
• 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
• 2012-52 JSDependentString::undepend string conversion results in memory corruption
• 2012-51 X-Frame-Options header ignored when duplicated
• 2012-50 Out of bounds read in QCMS
• 2012-49 Same-compartment Security Wrappers can be bypassed
• 2012-48 use-after-free in nsGlobalWindow::PageHidden
• 2012-47 Improper filtering of javascript in HTML feed-view
• 2012-45 Spoofing issue with location
• 2012-44 Gecko memory corruption
• 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

# Fixed in SeaMonkey 2.10

• 2012-54 Clickjacking of certificate warning page
• 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
• 2012-39 NSS parsing errors with zero length items
• 2012-38 Use-after-free while replacing/inserting a node in a document
• 2012-37 Information disclosure though Windows file shares and shortcut files
• 2012-36 Content Security Policy inline-script bypass
• 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
• 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)

# Fixed in SeaMonkey 2.9

• 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
• 2012-32 HTTP Redirections and remote content can be read by javascript errors
• 2012-31 Off-by-one error in OpenType Sanitizer
• 2012-30 Crash with WebGL content using textImage2D
• 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
• 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
• 2012-27 Page load short-circuit can lead to XSS
• 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
• 2012-25 Potential memory corruption during font rendering using cairo-dwrite
• 2012-24 Potential XSS via multibyte content processing errors
• 2012-23 Invalid frees causes heap corruption in gfxImageSurface
• 2012-22 use-after-free in IDBKeyRange
• 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

# Fixed in SeaMonkey 2.8

• 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
• 2012-18 window.fullScreen writeable by untrusted content
• 2012-17 Crash when accessing keyframe cssText after dynamic modification
• 2012-16 Escalation of privilege with Javascript: URL as home page
• 2012-15 XSS with multiple Content Security Policy headers
• 2012-14 SVG issues found with Address Sanitizer
• 2012-13 XSS with Drag and Drop and Javascript: URL
• 2012-12 Use-after-free in shlwapi.dll

# Fixed in SeaMonkey 2.7.2

• 2012-11 libpng integer overflow

# Fixed in SeaMonkey 2.7.1

• 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings

# Fixed in SeaMonkey 2.7

• 2012-09 Firefox Recovery Key.html is saved with unsafe permission
• 2012-08 Crash with malformed embedded XSLT stylesheets
• 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
• 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
• 2012-05 Frame scripts calling into untrusted objects bypass security checks
• 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
• 2012-03 <iframe> element exposed across domains via name attribute
• 2012-01 Miscellaneous memory safety hazards (rv:10.0/ 1.9.2.26)

# Fixed in SeaMonkey 2.6

• 2012-41 Use-after-free in nsHTMLSelectElement
• 2011-58 Crash scaling <video> to extreme sizes
• 2011-57 Crash when plugin removes itself on Mac OS X
• 2011-56 Key detection without JavaScript via SVG animation
• 2011-55 nsSVGValue out-of-bounds access
• 2011-54 Potentially exploitable crash in the YARR regular expression library
• 2011-53 Miscellaneous memory safety hazards (rv:9.0)

# Fixed in SeaMonkey 2.5

• 2011-52 Code execution via NoWaiverWrapper
• 2011-51 Cross-origin image theft on Mac with integrated Intel GPU
• 2011-50 Cross-origin data theft using canvas and Windows D2D
• 2011-49 Memory corruption while profiling using Firebug
• 2011-48 Miscellaneous memory safety hazards (rv:8.0)
• 2011-47 Potential XSS against sites using Shift-JIS

# Fixed in SeaMonkey 2.4

• 2012-02 Overly permissive IPv6 literal syntax
• 2011-45 Inferring keystrokes from motion data
• 2011-44 Use after free reading OGG headers
• 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter
• 2011-42 Potentially exploitable crash in the YARR regular expression library
• 2011-41 Potentially exploitable WebGL crashes
• 2011-40 Code installation through holding down Enter
• 2011-39 Defense against multiple Location headers due to CRLF Injection
• 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

# Fixed in SeaMonkey 2.3.3

• 2011-35 Additional protection against fraudulent DigiNotar certificates

# Fixed in SeaMonkey 2.3.2

• 2011-34 Protection against fraudulent DigiNotar certificates

# Fixed in SeaMonkey 2.3

• 2011-38 XSS via plugins and shadowed window.location object
• 2011-33 Security issues addressed in SeaMonkey 2.3