Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is
enabled, allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a certain (a)
replaceChild or (b) removeChild call, followed by a (1)
queryCommandValue, (2) queryCommandState, or (3) queryCommandIndeterm
mozilla, please advice.
Planned release for 3.0.6 is 3-4 february.
Ready to vote, I vote NO.
Mozilla Firefox before 18.104.22.168 and 3.x before 3.0.5, SeaMonkey, and
Thunderbird allow remote attackers to cause a denial of service
(memory consumption and application crash) via a large integer value
for the length property of a Select object, a related issue to
Gah, last comment should go to another bug.
Nothing for mozilla team to do here.
This issue was resolved and addressed in
GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).