Subject: pkg/10928: No netscape advisory for Java bug
To: None <gnats-bugs@gnats.netbsd.org>
From: Chris Pinnock <C.J.E.Pinnock@qmw.ac.uk>
List: netbsd-bugs
Date: 08/31/2000 17:01:14
>Number:         10928
>Category:       pkg
>Synopsis:       Ought to issue a SA on netscape =<4.74 java bug
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 31 17:02:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Chris Pinnock
>Release:        irrelevant (but all releases that can run netscape 4)
>Organization:
	School of Mathematical Sciences; QMW College; London; UK
>Environment:
	i386 Netscape 4.74 for Linux
System: NetBSD cod 1.4.3_ALPHA NetBSD 1.4.3_ALPHA (COD) #1: Tue Aug 22 15:52:36 BST 2000 root@cod:/usr/src/sys/arch/i386/compile/COD i386


>Description:
	It is possible for Netscape =<4.74 to serve out files on a local
	disk. Go to http://www.brumleve.com/BrownOrifice/ to get
	a sample java program that shows this problem.


>How-To-Repeat:
	see above.
>Fix:
	Netscape 4.75 (Linux version at least) is in pkgsrc (communicator
	and navigator). The fix is to upgrade (or disable Java in 4.74). 

	A Security Advisory along the lines of the 4.73->4.74 one would
	do in terms of upgrading instructions. All that remains is
	to change the details of the security exploit in question.

	Although netscape is not part of the core NetBSD package, the
	NetBSD project ought to point it out to their users.
>Release-Note:
>Audit-Trail:
>Unformatted: