Date: Mon, 21 Aug 2000 16:59:39 -0600
From: Technical Support support@PHOENIX.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Update: Netscape java security bug
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Caldera Systems, Inc. Security Advisory
Subject: Netscape java security bug
Advisory number: CSSA-2000-027.1
Issue date: 2000 August, 21
Cross reference:
1. Problem Description
Recently, a problem in netscape’s java libraries was discovered
that allows an applet to act as a web server on your machine,
exposing all files on your system to the world.
An exploit for this vulnerability has been published widely
under the name “Brown Orifice”.
This update also fixes another vulnerability in versions of
communicator previous to 4.74, which is a buffer overrun while
processing JPEG files. This bug could also be exploited by
malicious web servers to obtain access to the user’s machine.
2. Vulnerable Versions
System Package
OpenLinux Desktop 2.3 All packages previous to
communicator-4.75
OpenLinux eServer 2.3 All packages previous to
and OpenLinux eBuilder communicator-4.75
OpenLinux eDesktop 2.4 All packages previous to
communicator-4.75
3. Solution
Workaround:
Disable java in your web browser.
We recommend our users to upgrade to the new packages.
4. OpenLinux Desktop 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
28db8959429f5337cdd4388c6e6c5cd3
communicator-4.75-1OL.i386.rpm
46320caa2113e1de3994bf57dafcc3a0 communicator-4.75-1OL.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
You will have to install the rh-compat RPM from your
installation CD if it isn’t installed already:
rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm
Then, upgrade netscape communicator using
rpm -U –nodeps communicator-4.75-1OL.i386.rpm
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential
3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
fe4a2001149ada558f96c8fa65e931a2
communicator-4.75-1S.i386.rpm
ce41029a7d6d2e991302748dce7b6727 communicator-4.75-1S.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
You will have to install the rh-compat, mailcap and mimetypes
RPMs from your installation CD if they aren’t installed
already:
rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm
rpm -i Packages/RPMS/mailcap-1.0-6.i386.rpm
rpm -i Packages/RPMS/mimetypes-1.0-3.i386.rpm
Then, upgrade netscape communicator using
rpm -U –nodeps communicator-4.75-1S.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
6cfa056059046cd6d7c019fb6e737bac
communicator-4.75-1.i386.rpm
45d7e8bd7aca18b0d743f85eb926cf00 communicator-4.75-1.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -F communicator-4.75-1.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera’s internal Problem Report
7346.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5nSUd18sy83A/qfwRAvNmAJ9tEhmHczHNMyCkrwHzDTHC/OZloACdEM3k
caCO45dW9FtgJLE4iQCz3gQ=
=CQ+4
- -----END PGP SIGNATURE-----