============================================================================== Netscape 1.12 (X11) ============================================================================== *********************************************** IMPORTANT! Before going any further, please read and accept the terms in the file LICENSE. *********************************************** Release notes for this version of Netscape are available online. After starting the program, select "Release Notes" from the "Help" menu. This will take you to the URL http://home.netscape.com/eng/mozilla/1.1/relnotes/unix-1.12.html which lists new features and known problems of this release. To submit bugs or other feedback, use the "How To Give Feedback" option, also on the "Help" menu, which will take you to the URL http://home.netscape.com/home/how-to-give-feedback.html If for some reason you cannot submit feedback using that form, you may send email to x_cbug@netscape.com. Please be as specific as possible about the version of Netscape you are using, and the hardware and version of the OS. If possible, include a test case for the problem, including a URL. ============================================================================== Security Fix Description ============================================================================== TECHNICAL BACKGROUND Netscape Navigator uses random information to generate session encryption keys of either 40 or 128 bits in length. The random information is found through a variety of functions that look into a user's machine for information about how many processes are running, process ID numbers, the current time in microseconds, etc. Previous releases of Netscape Navigator were vulnerable because the amount of unknown information in the random input was less than that in the subsequent keys. This means that instead of searching through all of the 2^128 possible keys by brute force, a potential intruder only had to search through a significantly smaller space by brute force. This was a substantially easier problem to solve because it takes much less compute time and means 40-bit or 128-bit key strength is substantially reduced. SOLUTION Netscape Navigator 1.22 (Windows), 1.12 (Macintosh and Unix), 1.12I (localized builds for all 3 platforms) fixes the specific portion of our software where this vulnerability existed. We have significantly increased the amount of random information that cannot be discovered by external sources from approximately 30 bits to approximately 300 bits. Netscape has greatly expanded the techniques and sources used to generate the random information. The number of unpredictable bits in the RNG makes it no longer the weak link in the chain. ============================================================================== Installation Instructions ============================================================================== Installation of Netscape is very simple: unpack the tar file, and run the resultant executable. But there are, of course, a few exceptions... AIX: Netscape requires AIX 3.2.5 with the X11R5 and Motif 1.2 libraries. If you are running an older version, you will get undefined symbols at run-time; unfortunately, the only solution is to upgrade to a more recent version of the OS. We are told (but have not verified) that this executable works on AIX version 4. SunOS 4.1: The SunOS 4.1 package comes with two executables: netscape and netscape_dns. This is because Suns use two different, incompatible methods of resolving host names (Domain Name Service, and Network Information Service, formerly known as Yellow Pages.) A given site only need install one of these executables. It is usually possible to configure your YP/NIS server to consult a DNS server for resolution of hosts not in the YP maps. Consult your system administrator for details. SunOS 4.1, Linux, and BSDI: These distributions also includes a directory called "nls". This directory is a standard part of the MIT X11R5 distribution, but is not included with X11R4- or X11R6-based systems (such as OpenWindows 3.0 or earlier, and XFree86 3.1 or later.) On these systems, Netscape has been linked against X11R5 (because Motif 1.2.4 has some bad bugs in conjunction with with X11R6.) Unfortunately, X11R5 has one rather serious bug, which is that if this "nls" directory does not exist, the program will dump core any time you try to copy or paste to or from a text field! So, if you don't have the "nls" directory on your system, you will need to install it first. Here is where Netscape looks for it (these default pathnames are hardcoded into the executable): SunOS 4.1: /usr/lib/X11/nls/ Linux: /usr/X386/lib/X11/nls/ BSDI: /usr/X11/lib/X11/nls/ If you choose not to create the directory there, then you must set the $XNLSPATH environment variable to the directory where you did install it. NetBSD, FreeBSD: We have been told (but have not verified) that the BSDI binaries will work on x86 systems running NetBSD 1.0 or FreeBSD 2.0 (but not FreeBSD 1.1.5.1.) * Included with all distributions is a file called XKeysymDB. Without this file, many warnings about "unknown keysyms" will be generated when the program starts up, and most keyboard equivalents won't work. This is a general problem with running Motif programs on systems not configured for Motif, and so will be necessary on most Sun systems. This file is included with all packages because some systems have an older version of this file, so you may still get some warnings. The XKeysymDB file normally goes in /usr/lib/X11/XKeysymDB or /usr/openwin/lib/XKeysymDB, but you can override that with $XKEYSYMDB. * Also included with all distributions is a file called Netscape.ad, which lists the default resources which are built in to the program. It is not necessary to install this; it is provided for informational purposes. See the comment at the top of the file for more information. * If you get a "Cannot locate host" dialog at startup, this is a sign of problems related to name resolution. If you're on a Sun, see the comments above about the two executables. * If you get a "Cannot connect to host" dialog at startup, it could mean that you are behind a firewall, and need to tell Netscape about your SOCKS server. See the Preferences dialog under the Options menu, or consult your system administrator. * Please read the release notes under "Help -> Release Notes". This document is updated as problems are found, so please check it before reporting a bug. * To unpack a compressed tar file into the current directory, use some variation of the following command: zcat the-file.tar.Z | tar -vxf - * And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla." ==============================================================================