Security Advisory Netscape 4.73 available

Advisory: RHSA-2000:028-02
Type: Security Advisory
Severity: N/A
Issued on: 2000-05-19
Last updated on: 2001-02-25
Affected Products:
OVAL: N/A
CVEs (cve.mitre.org): CVE-2000-0406

Details

Netscape 4.73 packages are available. These new packages fix
bugs in SSL certificate validation; these bugs could allow
for the compromising of encrypted SSL sessions.

It is recommended that all users of Netscape update to the new packages.

The description of the vulnerability, taken from
http://www.securityfocus.com/:
--
An attacker poisons a nameserver to redirect all
connections to www.goodguy.com, normally
100.100.100.100, to 99.99.99.99, www.badguy.com.

The attacker causes all normal http requests to return
what they normally would on www.goodguy.com, even though
a user attempting to contact www.goodguy.com hits
www.badguy.com.

Upon getting a hit to www.badguy.com, the attacker
causes an SSL connection to be established. This can be
done by embedding a small image. The user may or may not
get a warning about establishing a secure connection --
this warning is on by default, although many users will
choose to disable this warning. The attacker needs to
use a legitimate SSL key, certified by someone listed as
trustworthy (thwate.com, for instance)

The user can continue to shop to their hearts content,
on the real site, as it's being proxied.

When the user decides to check out, it will attempt to
establish an SSL connection to www.goodguy.com. Upon
checking the ip address for www.goodguy.com, for
establishing an SSL connection, it will note that an SSL
connection already exists to it's IP. The key, however,
was issued to www.badguy.com. The SSL connection will be
established, and by all indications appear to go to
www.goodguy.com, when in fact it is to www.badguy.com.

This could be used by a would be attacker to steal
information such as credit cards, or any other
information protected by SSL.
---

Another minor vulnerability exists in current versions
of Netscape; by default, netscape will respond to
rlogin: and telnet: URLs by launching a helper application
of the appropriate type. It is possible that when following URLs
of these types that certain information about the local
user (user name, environment settings) can be exposed to
a remote host. To change the default associations to avoid
this, users can go to Edit->Preferences, and choose
Communicator->Applications. Then, change the default
commands associated with 'telnet' and 'rlogin' to something
that does not open up a connection to the remote host,
for example, simply 'xterm'.


Solution

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

For Red Hat Linux 5.0 and 5.1, use the Red Hat Linux 5.2
packages. For Red Hat Linux 6.0 and 6.1, use the Red Hat Linux
6.2 packages.

Updated packages


Bugs fixed (see bugzilla for more information)

11379 - Netscape 4.73 release for security problems in 4.72


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0406
N/A

Keywords

rlogin

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/