Originally Published: Saturday, 10 June 2000 Author: Derrick H. Lewis
Published to: news_enhance_security/Security News Page: 1/1 - [Printable]

Caldera Systems, Inc. Security Advisory

There are some flaws in the SSL transaction handling of Netscape Version 4.72 which could compromise encrypted SSL sessions.

   Page 1 of 1  

______________________________________________________________________________ Caldera Systems, Inc. Security Advisory

Subject: flaws in the SSL transaction handling of Netscape Advisory number: CSSA-2000-017.0 Issue date: 2000 June, 09 Cross reference: ______________________________________________________________________________

1. Problem Description

There are some flaws in the SSL transaction handling of Netscape Version 4.72 which could compromise encrypted SSL sessions.

This update upgrades Netscape to version 4.73, which also fixes some annoying crashes during common usage.

Upgrade to the new version is recommended.

2. Vulnerable Versions

System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 not vulnerable

OpenLinux eServer 2.3 not vulnerable and OpenLinux eBuilder

OpenLinux eDesktop 2.4 previous to communicator-4.73-2

3. Solution

Workaround:

none

The proper solution is to upgrade to the fixed packages.

4. OpenLinux Desktop 2.3

not vulnerable

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

not vulnerable

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

RPMS/communicator-4.73-2.i386.rpm SRPMS/communicator-4.73-2.src.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -F communicator-4.73-2.i386.rpm 7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

Caldera Systems wishes to thank Netscape and SuSE for providing fixes for the encountered crashes and security problems.





   Page 1 of 1