From owner-freebsd-ports Sun Jul 23 14:11: 7 2000 Delivered-To: freebsd-ports@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id D295837B7FC for ; Sun, 23 Jul 2000 14:11:04 -0700 (PDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id e6NLAtX27977; Sun, 23 Jul 2000 17:10:56 -0400 (EDT) Date: Sun, 23 Jul 2000 17:10:55 -0400 (EDT) From: Trevor Johnson To: SADA Kenji Cc: freebsd-ports@FreeBSD.ORG, girgen@partitur.se, obrien@NUXI.com, lioux@uol.com.br Subject: Re: Kill Netscape us ports and version 4.08. (was Re: Netscapebrowsers us versions avail. abroad) In-Reply-To: <200007231859.DAA90742@home.bsdclub.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I see. How about new ``NEED_SECURITY_WARNING'' option for the old versions ? I did a little more reading and it seems that a warning may be in order for all versions. Here's an attempt at a blurb that covers all the problems I know about: Versions 4.72 and earlier have security bugs which have since been fixed. They are listed at http://home.netscape.com/security/notes/index.html . Disabling JavaScript is recommended for all versions. Further information, and examples of hostile code (caution!), can be found at http://www.nat.bg/~joro/netscape.html . Non-U.S. versions have weak SSL. For versions 4.72 and earlier, 128-bit encryption is available by using Fortify. To enable it, set WITH_128BIT in your environment when building the package. Before using SSL with any version, read http://www.cert.org/advisories/CA-2000-08.html . > >> It looks to me like the only reason for the 4.73 version was to try to fix > >> the SSL problem described in > >> http://www.cert.org/advisories/CA-2000-05.html . However, > >> http://www.cert.org/advisories/CA-2000-08.html says there's still a > >> similar problem in 4.73. The "international" versions have crippled SSL > >> anyway, unless Fortify is used. The Fortify people stopped development > >> after Netscape 4.72. In light of all that, I think version 4.72 would be > >> best for the users I mentioned. I hadn't noticed before, but the Netscape folks say that in 4.73 they fixed another bug (http://home.netscape.com/security/jscookie.html) where users' bookmarks, and a listing of their files, could be sent to hostile Web sites. However, they list several ways to avoid it. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message