[LWN Logo]
[Timeline]
Date: Mon, 21 Aug 2000 16:59:39 -0600
From: Technical Support <support@phoenix.calderasystems.com>
To: announce@lists.calderasystems.com, bugtraq@securityfocus.com,
Subject: Security Update: Netscape java security bug


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		Netscape java security bug
Advisory number: 	CSSA-2000-027.1
Issue date: 		2000 August, 21
Cross reference:
______________________________________________________________________________


1. Problem Description

   Recently, a problem in netscape's java libraries was discovered
   that allows an applet to act as a web server on your machine,
   exposing all files on your system to the world.

   An exploit for this vulnerability has been published widely
   under the name "Brown Orifice".

   This update also fixes another vulnerability in versions
   of communicator previous to 4.74, which is a buffer overrun
   while processing JPEG files. This bug could also be exploited
   by malicious web servers to obtain access to the user's
   machine.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        All packages previous to
   				communicator-4.75

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       communicator-4.75

   OpenLinux eDesktop 2.4	All packages previous to
                                communicator-4.75

3. Solution

   Workaround:

   Disable java in your web browser.

   We recommend our users to upgrade to the new packages.

4. OpenLinux Desktop 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

       28db8959429f5337cdd4388c6e6c5cd3  communicator-4.75-1OL.i386.rpm
       46320caa2113e1de3994bf57dafcc3a0  communicator-4.75-1OL.src.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

       You will have to install the rh-compat RPM from your
       installation CD if it isn't installed already:

          rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm

       Then, upgrade netscape communicator using

	  rpm -U --nodeps communicator-4.75-1OL.i386.rpm

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       fe4a2001149ada558f96c8fa65e931a2  communicator-4.75-1S.i386.rpm
       ce41029a7d6d2e991302748dce7b6727  communicator-4.75-1S.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

       You will have to install the rh-compat, mailcap and mimetypes
       RPMs from your installation CD if they aren't installed already:

          rpm -i Packages/RPMS/rh-compat-2.3-1.i386.rpm
	  rpm -i Packages/RPMS/mailcap-1.0-6.i386.rpm
	  rpm -i Packages/RPMS/mimetypes-1.0-3.i386.rpm

       Then, upgrade netscape communicator using

	  rpm -U --nodeps communicator-4.75-1S.i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       6cfa056059046cd6d7c019fb6e737bac  communicator-4.75-1.i386.rpm
       45d7e8bd7aca18b0d743f85eb926cf00  communicator-4.75-1.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

	  rpm -F communicator-4.75-1.i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 7346.

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5nSUd18sy83A/qfwRAvNmAJ9tEhmHczHNMyCkrwHzDTHC/OZloACdEM3k
caCO45dW9FtgJLE4iQCz3gQ=
=CQ+4
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5oQZ318sy83A/qfwRAkNSAKC351Vyc8Ce+L1w02HJOyauKAQd5gCfX40m
Es0U+kMOqONLoIANl7hLduA=
=7eQY
-----END PGP SIGNATURE-----