dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Caldera Systems Security Advisory: Netscape java security bug

Aug 22, 2000, 05:19 (0 Talkback[s])

Date: Mon, 21 Aug 2000 16:59:39 -0600
From: Technical Support support@PHOENIX.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Update: Netscape java security bug

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                   Caldera Systems, Inc.  Security Advisory

Subject:                Netscape java security bug
Advisory number:        CSSA-2000-027.1
Issue date:             2000 August, 21
Cross reference:

1. Problem Description

Recently, a problem in netscape's java libraries was discovered that allows an applet to act as a web server on your machine, exposing all files on your system to the world.

An exploit for this vulnerability has been published widely under the name "Brown Orifice".

This update also fixes another vulnerability in versions of communicator previous to 4.74, which is a buffer overrun while processing JPEG files. This bug could also be exploited by malicious web servers to obtain access to the user's machine.

2. Vulnerable Versions

   System                       Package

   OpenLinux Desktop 2.3        All packages previous to
                                communicator-4.75

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       communicator-4.75

   OpenLinux eDesktop 2.4       All packages previous to
                                communicator-4.75
3. Solution

Workaround:

Disable java in your web browser.

We recommend our users to upgrade to the new packages.

4. OpenLinux Desktop 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

4.2 Verification

28db8959429f5337cdd4388c6e6c5cd3 communicator-4.75-1OL.i386.rpm
46320caa2113e1de3994bf57dafcc3a0 communicator-4.75-1OL.src.rpm

4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

You will have to install the rh-compat RPM from your installation CD if it isn't installed already:

rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm

Then, upgrade netscape communicator using

rpm -U --nodeps communicator-4.75-1OL.i386.rpm

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

fe4a2001149ada558f96c8fa65e931a2 communicator-4.75-1S.i386.rpm
ce41029a7d6d2e991302748dce7b6727 communicator-4.75-1S.src.rpm

5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

You will have to install the rh-compat, mailcap and mimetypes RPMs from your installation CD if they aren't installed already:

rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm
rpm -i Packages/RPMS/mailcap-1.0-6.i386.rpm
rpm -i Packages/RPMS/mimetypes-1.0-3.i386.rpm

Then, upgrade netscape communicator using

rpm -U --nodeps communicator-4.75-1S.i386.rpm

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

6cfa056059046cd6d7c019fb6e737bac communicator-4.75-1.i386.rpm
45d7e8bd7aca18b0d743f85eb926cf00 communicator-4.75-1.src.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -F communicator-4.75-1.i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 7346.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux.


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org 

iD8DBQE5nSUd18sy83A/qfwRAvNmAJ9tEhmHczHNMyCkrwHzDTHC/OZloACdEM3k
caCO45dW9FtgJLE4iQCz3gQ=
=CQ+4
- -----END PGP SIGNATURE-----