Security issues were identified and fixed in mozilla firefox and
thunderbird:

Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before
7.0, and SeaMonkey before 2.4 do not prevent the starting of a download
in response to the holding of the Enter key, which allows user-assisted
remote attackers to bypass intended access restrictions via a crafted
web site (CVE-2011-2372).

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0,
and SeaMonkey before 2.4 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors (CVE-2011-2995).

Unspecified vulnerability in the plugin API in Mozilla Firefox 3.6.x
before 3.6.23 allows remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors (CVE-2011-2996).

Integer underflow in Mozilla Firefox 3.6.x before 3.6.23 allows
remote attackers to cause a denial of service (application crash)
or possibly execute arbitrary code via JavaScript code containing a
large RegExp expression (CVE-2011-2998).

Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before
6.0, and SeaMonkey before 2.3 do not properly handle location as the
name of a frame, which allows remote attackers to bypass the Same
Origin Policy via a crafted web site, a different vulnerability than
CVE-2010-0170 (CVE-2011-2999).

Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before
7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses
that contain multiple Location, Content-Length, or Content-Disposition
headers, which makes it easier for remote attackers to conduct HTTP
response splitting attacks via crafted header values (CVE-2011-3000).

Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey
before 2.4 do not prevent manual add-on installation in response
to the holding of the Enter key, which allows user-assisted remote
attackers to bypass intended access restrictions via a crafted web
site that triggers an unspecified internal error (CVE-2011-3001).

Integer underflow in Mozilla Firefox 3.6.x before 3.6.23 allows
remote attackers to cause a denial of service (application crash)
or possibly execute arbitrary code via JavaScript code containing a
large RegExp expression (CVE-2011-3867).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and
are being provided as updates.