Security issues were identified and fixed in mozilla NSS, firefox
and thunderbird:

22 weak 512-bit certificates issued by the DigiCert Sdn. Bhd
certificate authority has been revoked from the root CA storage. This
was fixed with rootcerts-20111103.00 and nss-3.13. DigiCert
Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon
(GTE CyberTrust). It bears no affiliation whatsoever with the
US-based corporation DigiCert, Inc., which is a member of Mozilla's
root program.

Untrusted search path vulnerability in Mozilla Network Security
Services (NSS) might allow local users to gain privileges via a Trojan
horse pkcs11.txt file in a top-level directory (CVE-2011-3640).

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before
3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0
through 7.0 allows remote attackers to inject arbitrary web script
or HTML via crafted text with Shift JIS encoding (CVE-2011-3648).

Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird
before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript
files that contain many functions, which allows user-assisted
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
crafted file that is accessed by debugging APIs, as demonstrated by
Firebug (CVE-2011-3650).

The following vulnerabilities affetst Mandriva Linux 2011 only:

Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to
cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors (CVE-2011-3651).

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before
8.0 does not properly allocate memory, which allows remote attackers
to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unspecified vectors
(CVE-2011-3652).

The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors (CVE-2011-3654).

Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
access control without checking for use of the NoWaiverWrapper wrapper,
which allows remote attackers to gain privileges via a crafted web site
(CVE-2011-3655).

The following vulnerabilities affects Mandriva Enterpriser Server
5.2 and Mandriva Linux 2010.2 only:

The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird
before 3.1.6 does not properly handle XPCNativeWrappers during calls
to the loadSubScript method in an add-on, which makes it easier
for remote attackers to gain privileges via a crafted web site that
leverages certain unwrapping behavior, a related issue to CVE-2011-3004
(CVE-2011-3647).

Additionally, some packages which require so, have been rebuilt and
are being provided as updates.