CVE-2009-2061

https://www.paypal.com/ is the PoC site, but https://wiki.ubuntu.com
seems to be a valid trigger as well (both set a cookie which is sent on
connect). https://www.verisign.com will trigger the alert() in the PoC, but
doesn't contain the cookie
firefox-3.0 (3.0.9) is confirmed to be affected
mozilla is silently fixing this in 3.0.10, but it won't be public
until the CRD
konqueror 3 (kdelibs) in dapper is confirmed to be affected
konqueror 4 (kde4libs) in jaunty does not seem to be affected
(displays it's own connection refused message for all 4xx codes)
webkit on jaunty does not seem affected, though all of its consumers
are rather flaky (midori, python-webkit/webbrowser.py, webkit/GtkLauncher,
kazehakase-webkit). None of these would work with paypal or wiki.u.c, but
would with https://www.verisign.com/. At verisign, firefox would display
the PoC alert, but without the cookie. webkit, midori and python-webkit would
not display the alert at all (kazehakase crashes on any page load). Other
consumers are devhelp and anjuta, but I didn't see how to get an external
page to load. At any rate, webkit is a tentative 'not-affected'. Will get
more feedback from Debian maintainer.
qt4-x11 in jaunty does not seem to be affected. arora is its
browser consumer and it displays its own 'HTTP request failed' message for
all 4xx codes
also checked epiphany-webkit on 8.10. The browser can go to paypal,
but is not vulnerable (does not display the alert at all for all 4xx codes)