From owner-freebsd-security Tue Mar 12 8: 5:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id B0B2E37B91D for ; Tue, 12 Mar 2002 08:03:41 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g2CG2H124156; Tue, 12 Mar 2002 11:02:17 -0500 (EST) Date: Tue, 12 Mar 2002 11:02:16 -0500 (EST) From: Trevor Johnson To: D J Hawkey Jr Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:16.netscape In-Reply-To: <20020312090524.A29061@sheol.localdomain> Message-ID: <20020312104432.L19417-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Anyone know if [recent] Mozilla releases are vulnerable? > Specifically, release 0.9.8? > More specifically, the binary release of 0.9.8 from mozilla.org (which > wouldn't have any patches found in the ports collection)? I hadn't thought of that. I wasn't able to get the demonstration from http://www.dividuum.de/ to work with Mozilla 0.9.9. Mozilla's support for the about: protocol seems to be more limited than that of Netscape 4. In particular, it doesn't have about:global. Conceivably, old versions of Mozilla could have this bug. Regardless, I'd recommend that you update to Mozilla 0.9.9, because of the zlib "double free" bug. Mozilla contains its own copy of the zlib code, which was corrected as of version 0.9.9. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message