Date: Sun, 23 Jul 2000 17:10:55 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: SADA Kenji <sada@bsdclub.org> Cc: freebsd-ports@FreeBSD.ORG, girgen@partitur.se, obrien@NUXI.com, lioux@uol.com.br Subject: Re: Kill Netscape us ports and version 4.08. (was Re: Netscapebrowsers us versions avail. abroad) Message-ID: <Pine.BSI.4.21.0007231645380.25930-100000@blues.jpj.net> In-Reply-To: <200007231859.DAA90742@home.bsdclub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I see. How about new ``NEED_SECURITY_WARNING'' option for the old versions ? I did a little more reading and it seems that a warning may be in order for all versions. Here's an attempt at a blurb that covers all the problems I know about: Versions 4.72 and earlier have security bugs which have since been fixed. They are listed at http://home.netscape.com/security/notes/index.html . Disabling JavaScript is recommended for all versions. Further information, and examples of hostile code (caution!), can be found at http://www.nat.bg/~joro/netscape.html . Non-U.S. versions have weak SSL. For versions 4.72 and earlier, 128-bit encryption is available by using Fortify. To enable it, set WITH_128BIT in your environment when building the package. Before using SSL with any version, read http://www.cert.org/advisories/CA-2000-08.html . > >> It looks to me like the only reason for the 4.73 version was to try to fix > >> the SSL problem described in > >> http://www.cert.org/advisories/CA-2000-05.html . However, > >> http://www.cert.org/advisories/CA-2000-08.html says there's still a > >> similar problem in 4.73. The "international" versions have crippled SSL > >> anyway, unless Fortify is used. The Fortify people stopped development > >> after Netscape 4.72. In light of all that, I think version 4.72 would be > >> best for the users I mentioned. I hadn't noticed before, but the Netscape folks say that in 4.73 they fixed another bug (http://home.netscape.com/security/jscookie.html) where users' bookmarks, and a listing of their files, could be sent to hostile Web sites. However, they list several ways to avoid it. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.21.0007231645380.25930-100000>