> >Affected Versions: > > > >This vulnerability affects all supported platforms of Enterprise and > >FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack 3.01 > >were found to be vulnerable. Earlier versions may be vulnerable but were not > >tested by ISS X-Force. > > Does anyone know if this problem is fixed in 3.6sp3? The release notes for > sp3 include the following fixes: > > 359884. Buffer overflow on large requests causes Security problems. > 363755. Buffer overflow in the HTTP Basic authentication. > > That second one certainly sounds very similar, but does anyone know for sure? >From the Recommendations section of the advisory: "Affected users should upgrade their systems immediately. This vulnerability affects systems running Administration Server with password protected areas that rely on Basic Authentication. If you run any of the affected servers on any platform, upgrade to iPlanet Web Server 4.0sp2 at: http://www.iplanet.com/downloads/testdrive/detail_161_243.html. Netscape has stated that FastTrack will not be patched. Although Netscape released service pack 3 for Enterprise Server 3.6 that fixes the vulnerability in the web server, the Administration Server remains vulnerable. If you are unable to upgrade, ISS X-Force recommends that you block the Administration Server port at the firewall to prevent outside attacks." So the actual NES server was fixed in 3.6SP3 however the Admin server in that version still suffers from the overflow. - --krj -- Keith R. Jarvis (kjarvisat_private) http://xforce.iss.net Internet Security Systems, Inc. +1-678-443-6149 (direct) Adaptive Network Security for the Enterprise +1-678-443-6479 (fax)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:39 PDT