[11552] in bugtraq
Re: [Fwd: ISS Security Advisory: Buffer Overflow in Netscape
daemon@ATHENA.MIT.EDU (X-Force)
Sat Aug 28 11:38:32 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.95.990826145947.3080A-100000@arden.iss.net>
Date: Thu, 26 Aug 1999 15:23:12 -0400
Reply-To: X-Force <xforce@ISS.NET>
From: X-Force <xforce@ISS.NET>
X-To: BUGTRAQ <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Comments within.
Erik Fichtner wrote:
> Is this vulnerability in other versions of Enterprise server?
We tested the vulnerability against the current releases of Enterprise
and Fasttrack. Earlier versions may be vulnerable, but they were not
tested against.
> Does it exist on all platforms?
No, our advisory effects only NT, Solaris was tested against and found
not vulnerable. AIX and other platforms were not tested against and
these platforms potentially could be vulnerable.
> Is this an issue only with the SSL server (SSL Handshake? huh? what does
> THAT have to do with a GET request?) or does this affect the entire
> server?
Netscape decided to combine the GET overflow patch in with an SSL
problem. This vulnerability affects the entire server. Netscapes
handles their patch bundling, we have no involvment with that.
> Are patches available for previous versions of Enterprise server?
Not that we know of, If previous versions are found to be vulnerable
Netscape should be contacted and will issue a patch at that time.
----
X-Force
Internet Security Systems, Inc.
(678) 443-6000 / http://xforce.iss.net/
Adaptive Network Security for the Enterprise
