5385351 2000-08-22 06:23 /175 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12338>
Ärende: Security Update: Netscape java security bug
------------------------------------------------------------
From: Technical Support <support@PHOENIX.CALDERASYSTEMS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000821165939.A1183@phoenix.calderasystems.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: Netscape java security bug
Advisory number: CSSA-2000-027.1
Issue date: 2000 August, 21
Cross reference:
______________________________________________________________________________
1. Problem Description
Recently, a problem in netscape's java libraries was discovered
that allows an applet to act as a web server on your machine,
exposing all files on your system to the world.
An exploit for this vulnerability has been published widely
under the name "Brown Orifice".
This update also fixes another vulnerability in versions
of communicator previous to 4.74, which is a buffer overrun
while processing JPEG files. This bug could also be exploited
by malicious web servers to obtain access to the user's
machine.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 All packages previous to
communicator-4.75
OpenLinux eServer 2.3 All packages previous to
and OpenLinux eBuilder communicator-4.75
OpenLinux eDesktop 2.4 All packages previous to
communicator-4.75
3. Solution
Workaround:
Disable java in your web browser.
We recommend our users to upgrade to the new packages.
4. OpenLinux Desktop 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
28db8959429f5337cdd4388c6e6c5cd3
communicator-4.75-1OL.i386.rpm
46320caa2113e1de3994bf57dafcc3a0 communicator-4.75-1OL.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
You will have to install the rh-compat RPM from your
installation CD if it isn't installed already:
rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm
Then, upgrade netscape communicator using
rpm -U --nodeps communicator-4.75-1OL.i386.rpm
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
fe4a2001149ada558f96c8fa65e931a2 communicator-4.75-1S.i386.rpm
ce41029a7d6d2e991302748dce7b6727 communicator-4.75-1S.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
You will have to install the rh-compat, mailcap and mimetypes
RPMs from your installation CD if they aren't installed
already:
rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm
rpm -i Packages/RPMS/mailcap-1.0-6.i386.rpm
rpm -i Packages/RPMS/mimetypes-1.0-3.i386.rpm
Then, upgrade netscape communicator using
rpm -U --nodeps communicator-4.75-1S.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
6cfa056059046cd6d7c019fb6e737bac communicator-4.75-1.i386.rpm
45d7e8bd7aca18b0d743f85eb926cf00 communicator-4.75-1.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -F communicator-4.75-1.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 7346.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of
the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5nSUd18sy83A/qfwRAvNmAJ9tEhmHczHNMyCkrwHzDTHC/OZloACdEM3k
caCO45dW9FtgJLE4iQCz3gQ=
=CQ+4
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5oQZ318sy83A/qfwRAkNSAKC351Vyc8Ce+L1w02HJOyauKAQd5gCfX40m
Es0U+kMOqONLoIANl7hLduA=
=7eQY
-----END PGP SIGNATURE-----
(5385351) ------------------------------------------(Ombruten)