From owner-freebsd-security  Thu May  2  8:23: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail1.qc.uunet.ca (mail1.qc.uunet.ca [198.168.54.16])
	by hub.freebsd.org (Postfix) with ESMTP id 6A53537B405
	for <freebsd-security@freebsd.org>; Thu,  2 May 2002 08:23:00 -0700 (PDT)
Received: from Xtanbul ([216.94.147.34])
	by mail1.qc.uunet.ca (8.10.2/8.10.2) with ESMTP id g42FMtj01849;
	Thu, 2 May 2002 11:22:55 -0400
Date: Thu, 2 May 2002 11:15:18 -0400
Subject: Re: Mozilla and NS6 security problem
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Mime-Version: 1.0 (Apple Message framework v481)
Cc: trevor@jpj.net, freebsd-security@freebsd.org
To: hawkeyd@visi.com
From: Antoine Beaupre <anarcat@anarcat.ath.cx>
In-Reply-To: <200205021422.g42EMcY17201@sheol.localdomain>
Message-Id: <6988EC2C-5DDF-11D6-B5E1-0050E4A0BB3F@anarcat.ath.cx>
Content-Transfer-Encoding: quoted-printable
X-Mailer: Apple Mail (2.481)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Le Jeudi 2 mai 2002, =E0 10:22 , D J Hawkey Jr a =E9crit :

> In article <20020501152156.X2876-100000_blues.jpj.net@ns.sol.net>,
> 	trevor@jpj.net writes:
>> Martin Blapp wrote:
>>
>>> http://www.heise.de/newsticker/data/ju-30.04.02-000/
>>> http://sec.greymagic.com/adv/gm001-ns/
>>>
>>> Our ports are vulnerable too. It seems that there is
>>> no fix yet available.
>>
>> Thank you, Martin.  I tested the linux-mozilla port yesterday and=20
>> found it
>> had the bug.  I've just marked it forbidden (sorry about the delay). =20=

>> The
>> Netscape 6 ports were already marked forbidden because of my =
suspicion
>> that they had the zlib double free() bug (I've seen a rumor that it =
was
>> corrected in Netscape 6.22).
>
> What of the "native" FreeBSD Mozilla port/package, whether it be 0.9.9
> or 1.0-RC?

Well http://sec.greymagic.com/adv/gm001-ns/ sure says it's vulnerable:

"Tested on:

Mozilla 0.9.6, Linux (Debian).
Mozilla 0.9.7, NT4.
Mozilla 0.9.8, Linux (Red Hat 7.1).
Mozilla 0.9.9, Win2000.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Linux (Red Hat 7.2).
Mozilla 1.0 RC1, FreeBSD.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Linux (Debian)."

A.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message