Mozilla Certificate Authority Vulnerability and Arbitrary Code Injection

http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
http://www.mozilla.org/security/announce/2009/mfsa2009-43.html

Mozilla announced two vulnerabilities in their Suite of applications.
The first describes a method in which an attacker could spoof a
certificate signed by a CA. This could lead to man in the middle
attacks of SSL traffic. Mozilla updates are also done over SSL, so this
could create a situation where Mozilla updates are compromised.

The second issue addresses a heap overflow that could lead to arbitrary
code injection.

Mozilla's statements appear to suggest upgrading any product in their
3.0 line to 3.5. It does not look like they are going to be patching
their 3.0 code.

It is suggested to upgrade to the latest 3.5 version of Firefox and the
latest version of Thunderbird, Sunbird and Seamonkey to avoid these
vulnerabilities.