Hi all, has anybody seen/heard any confirmation from Netscape that the new release (4.75) has plugged the java security hole?? Through all this I have heard absolutely nothing from Netscape, either on Bugtraq or their web pages, no acknowledgement of the vulnerability, no news no nothing. In my book this makes them an early frontrunner for worst vulnerability handling of the year. Stefan
Hi, On Sat, Aug 19, Stefan Suurmeijer wrote:
has anybody seen/heard any confirmation from Netscape that the new release (4.75) has plugged the java security hole??
According to heise, release 4.75 closes the brown orifice hole. Sorry, German only: http://www.heise.de/newsticker/data/vza-18.08.00-000/
Stefan -o) Hubert Mantel Goodbye, dots... /\\ _\_v
On Sam, 19 Aug 2000, Hubert Mantel wrote:
has anybody seen/heard any confirmation from Netscape that the new release (4.75) has plugged the java security hole??
According to heise, release 4.75 closes the brown orifice hole. Sorry, German only:
and when the propper SuSE-Version/Update will be released ? Greetings, Joerg Henner. -- LinuxHaus Stuttgart | Tel.: +49 (7 11) 2 85 19 05 J. Henner & A. Reyer, Datentechnik GbR | D2: +49 (1 72) 7 35 31 09 | Fax: +49 (7 11) 5 78 06 92 Linux, Netzwerke, Consulting & Support | http://lihas.de
On 19-Aug-2000 Joerg Henner wrote:
and when the propper SuSE-Version/Update will be released ?
Another Question....when is the full strength encryption to be sorted.? Even if SuSE put up 4.75 tomorrow...on a European site...it would be of no use to me. Fortify will not recognise a Netscape > 4.72. I have had to download direct from Netscape:-( Regards Brian -- ----------------------------------------------------- Brian Galbraith Default Key 0x63EBA765 (DH/DSA) http://seattle.keyserver.net:11371/pks/lookup?op=get&search=0x63EBA765 ICQ 79205734 -----------------------------------------------------
On Sat, Aug 19, 2000 at 05:39:20PM +0100, Brian Galbraith wrote:
On 19-Aug-2000 Joerg Henner wrote:
and when the propper SuSE-Version/Update will be released ?
Another Question....when is the full strength encryption to be sorted.?
Even if SuSE put up 4.75 tomorrow...on a European site...it would be of no use to me. Fortify will not recognise a Netscape > 4.72. I have had to download direct from Netscape:-(
No. The default version available from the ftp-mirrors by now supports 128 bits, so this is not an issue any longer (and hence Fortify is discontinued). Please check e.g. ftp://ftp.fu-berlin.de/unix/www/netscape/communicator/english/4.75/unix/supported/linux22/complete_install/ Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
Another Question....when is the full strength encryption to be sorted.?
Even if SuSE put up 4.75 tomorrow...on a European site...it would be of no use to me. Fortify will not recognise a Netscape > 4.72. I have had to download direct from Netscape:-(
No. The default version available from the ftp-mirrors by now supports 128 bits, so this is not an issue any longer (and hence Fortify is discontinued). Please check e.g. ftp://ftp.fu-berlin.de/unix/www/netscape/communicator/english/4.75/unix/supported/linux22/complete_install/
Best regards, Lutz
The 4.75 package will be availabe shortly.
Roman.
--
- -
| Roman Drahtmüller
and when the propper SuSE-Version/Update will be released ?
Greetings,
Joerg Henner.
Today.
Roman.
--
- -
| Roman Drahtmüller
hi, I just installed 4.75 (source from netscape) and tried a few tests in regards to the java exploit (Brown Orifice HTTPD). I went to the following webpage , http://www.brumleve.com/BrownOrifice/ , that has a demo of Brown Orifice HTTPD and allowed it to do its thing to my machine. It did open up tcp port 8080 (as a nmap scan of my machine showed), but it did not allow me to connect or view any files. Is this exploit fixed in the latest release of netscape 4.75? I believe it is and is not. I do not have the ability to connect to the 8080 port and view my files, even though it is open. But then again, why does it still allow Brown Orifice HTTPD to open up a port on my machine? Isn't this a problem itself and still a potential security vulnerability? After killing all netscape processes, according to another nmap scan of my machine, tcp port 8080 was closed. Sorry that I couldn't give a definite yes or no, but that would and SHOULD come from Netscape themselves. BOOO and HISSS to Netscape for leaving their users in the dark. Perhaps they don't care anymore now that AOL owns their ass. jason Stefan Suurmeijer wrote:
Hi all,
has anybody seen/heard any confirmation from Netscape that the new release (4.75) has plugged the java security hole?? Through all this I have heard absolutely nothing from Netscape, either on Bugtraq or their web pages, no acknowledgement of the vulnerability, no news no nothing. In my book this makes them an early frontrunner for worst vulnerability handling of the year.
Stefan
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (7)
-
Brian Galbraith
-
Hubert Mantel
-
j a s o n
-
Joerg Henner
-
Lutz Jaenicke
-
Roman Drahtmueller
-
Stefan Suurmeijer