> Anyone know if [recent] Mozilla releases are vulnerable?
> Specifically, release 0.9.8?
> More specifically, the binary release of 0.9.8 from mozilla.org (which
> wouldn't have any patches found in the ports collection)?

I hadn't thought of that. I wasn't able to get the demonstration from
http://www.dividuum.de/ to work with Mozilla 0.9.9. Mozilla's support for
the about: protocol seems to be more limited than that of Netscape 4. In
particular, it doesn't have about:global. Conceivably, old versions of
Mozilla could have this bug.

Regardless, I'd recommend that you update to Mozilla 0.9.9, because of the
zlib "double free" bug. Mozilla contains its own copy of the zlib code,
which was corrected as of version 0.9.9.

-- 
Trevor Johnson
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]