[18786] in bugtraq
iPlanet FastTrack/Enterprise 4.1 DoS clarifications
daemon@ATHENA.MIT.EDU (Peter W)
Wed Jan 24 12:56:32 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010124063452.H30188@usa.net>
Date: Wed, 24 Jan 2001 06:34:52 -0500
Reply-To: Peter W <peterw@USA.NET>
From: Peter W <peterw@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Regarding Peter Guendl's discovery of DoS attacks against iWS 4.1:
1) Peter G. reports that disabling the cache with cache-init is not
an effective workaround for the FastTrack problem.
2) I wrote that iWS 4.1 has "at least one huge hole (remote code execution
via SSL/TLS implementation bug)". Another reader has pointed out that
the SSL/TLS problem was announced as a Denial of Service vulnerability.
3) The note about Service Pack levels for iPlanet Enterprise 4.1 in
Peter Gruendl's "Netscape Enterprise Server Dot-Dot DoS" was somewhat
confusing. The iPlanet URL he refers to correctly states that the
latest supported iPlanet Web servers[0] are 4.0sp6 and 4.1sp5. 4.1sp6
has not been released or officially announced by iPlanet.
Thanks,
-Peter
[0] All Netscape-branded Web server products, including Netscape Enterprise 3.6,
have officially passed their end-of-life dates and are no longer supported.
