Re: [Fwd: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Web Servers]

[xforce () ISS NET (X-Force)]

Comments within.

Erik Fichtner wrote:

> Is this vulnerability in other versions of Enterprise server?

  We tested the vulnerability against the current releases of Enterprise
  and Fasttrack.  Earlier versions may be vulnerable, but they were not
  tested against.

> Does it exist on all platforms?

  No, our advisory effects only NT, Solaris was tested against and found
  not vulnerable.  AIX and other platforms were not tested against and
  these platforms potentially could be vulnerable.

> Is this an issue only with the SSL server (SSL Handshake? huh? what does
> THAT have to do with a GET request?) or does this affect the entire
> server?

  Netscape decided to combine the GET overflow patch in with an SSL
  problem.  This vulnerability affects the entire server.  Netscapes
  handles their patch bundling, we have no involvment with that.

> Are patches available for previous versions of Enterprise server?

  Not that we know of, If previous versions are found to be vulnerable
  Netscape should be contacted and will issue a patch at that time.

----
X-Force
Internet Security Systems, Inc.
(678) 443-6000 / http://xforce.iss.net/
Adaptive Network Security for the Enterprise