Security issues were identified and fixed in mozilla firefox and
thunderbird:

Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative two instances of code which modifies SVG element lists
failed to account for changes made to the list by user-supplied
callbacks before accessing list elements. If a user-supplied callback
deleted such an object, the element-modifying code could wind up
accessing deleted memory and potentially executing attacker-controlled
memory. regenrecht also reported via TippingPoint's Zero Day Initiative
that a XUL document could force the nsXULCommandDispatcher to remove
all command updaters from the queue, including the one currently
in use. This could result in the execution of deleted memory which
an attacker could use to run arbitrary code on a victim's computer
(CVE-2011-0083, CVE-2011-0085, CVE-2011-2363).

Mozilla security researcher David Chan reported that cookies set for
example.com. (note the trailing dot) and example.com were treated as
interchangeable. This is a violation of same-origin conventions and
could potentially lead to leakage of cookie data to the wrong party
(CVE-2011-2362).

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2011-2364,
CVE-2011-2365, CVE-2011-2374, CVE-2011-2375, CVE-2011-2376).

Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security
reported that when a JavaScript Array object had its length set to an
extremely large value, the iteration of array elements that occurs
when its reduceRight method was subsequently called could result in
the execution of attacker controlled memory due to an invalid index
value being used to access element properties (CVE-2011-2371).

Security researcher Martin Barbella reported that under certain
conditions, viewing a XUL document while JavaScript was disabled
caused deleted memory to be accessed. This flaw could potentially
be used by an attacker to crash a victim's browser and run arbitrary
code on their computer (CVE-2011-2373).

Security researcher Jordi Chancel reported a crash on
multipart/x-mixed-replace images due to memory corruption
(CVE-2011-2377).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and
are being provided as updates.