Here's the big list, and honestly, this is mostly about linking to posts on Cameron Kaiser's TenFourFox Development blog since he wrote the bash replacement below and knows just as much as anybody:
1) Yes, the
bashthat comes with your PowerPC Mac is compromised. Cameron Kaiser was nice enough to build a new version) that fixes the security flaw so us PowerPC users can rest easy (also works for Snow Leopard).
2) SSLv3 is no longer safe. The solution here is to update TenFourFox and Tenfourbird to their latest versions which disable SSLv3. Webkit browsers that depend on the system SSL libraries remain vulnerable.
3) Certain versions of OpenSSL have a hole. Older OpenSSL-based libraries bundled with Tiger and Leopard are not vulnerable to this specific bug, but if you have versions 1.0.1 to 1.0.1f installed on your system through Macports or Homebrew/Tigerbrew, you'll want to update to the latest version.
4) That handy tool
sudo, giving you root access from the command line, is vulnerable to an exploit. Check this post for the solution and also look down to the comments on how to use
viis a mystery to you.
5) Flash is not safe.
6) Java is not safe. I've seen links about installing Open JDK 7 on Leopard, but I don't know how feasible it is. You could also put Debian on a separate partition and run the latest Java from there.
7) Finally, your Firewire ports are vulnerable to physical attack. You can check out Adam Albrec's Security Mode scripts to secure your laptops from this and other vulnerabilities.
As said, this post will be continually updated with developing news. Hopefully the list won't get too long. ;-)
8) And I've been informed of yet another one. The Diginotar SSL certificate is compromised. This was back in 2011 and was the first time Apple released a security update that didn't include PowerPC, so maybe that's why I blocked it out. Follow the step-by-step instructions at $ ps | Enable (their mpkg automator didn't seem to change things for me) to clear your system. This only affects you if you use Safari or another browser that accesses your system's SSL certificates. It does not effect TenFourFox.