Security update for Mozilla Firefox (important)

Mozilla Firefox was updated to version 3.6.23, fixing
various bugs and security issues.

MFSA 2011-36: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.

Benjamin Smedberg, Bob Clary, and Jesse Ruderman
reported memory safety problems that affected Firefox 3.6
and Firefox 6. (CVE-2011-2995)

Josh Aas reported a potential crash in the plugin API
that affected Firefox 3.6 only. (CVE-2011-2996)

MFSA 2011-37: Mark Kaplan reported a potentially
exploitable crash due to integer underflow when using a
large JavaScript RegExp expression. We would also like to
thank Mark for contributing the fix for this problem. (no
CVE yet)

MFSA 2011-38: Mozilla developer Boris Zbarsky
reported that a frame named "location" could shadow the
window.location object unless a script in a page grabbed a
reference to the true object before the frame was created.
Because some plugins use the value of window.location to
determine the page origin this could fool the plugin into
granting the plugin content access to another site or the
local file system in violation of the Same Origin Policy.
This flaw allows circumvention of the fix added for MFSA
2010-10. (CVE-2011-2999)

MFSA 2011-39: Ian Graham of Citrix Online reported
that when multiple Location headers were present in a
redirect response Mozilla behavior differed from other
browsers: Mozilla would use the second Location header
while Chrome and Internet Explorer would use the first. Two
copies of this header with different values could be a
symptom of a CRLF injection attack against a vulnerable
server. Most commonly it is the Location header itself that
is vulnerable to the response splitting and therefore the
copy preferred by Mozilla is more likely to be the
malicious one. It is possible, however, that the first copy
was the injected one depending on the nature of the server
vulnerability.

The Mozilla browser engine has been changed to treat
two copies of this header with different values as an error
condition. The same has been done with the headers
Content-Length and Content-Disposition. (CVE-2011-3000)

MFSA 2011-40: Mariusz Mlynski reported that if you
could convince a user to hold down the Enter key–as part
of a game or test, perhaps–a malicious page could pop up a
download dialog where the held key would then activate the
default Open action. For some file types this would be
merely annoying (the equivalent of a pop-up) but other file
types have powerful scripting capabilities. And this would
provide an avenue for an attacker to exploit a
vulnerability in applications not normally exposed to
potentially hostile internet content.

Holding enter allows arbitrary code execution due to
Download Manager (CVE-2011-2372)