Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications
On Wed, Jan 24, 2001 at 02:45:46PM -0600, Calvin Tait wrote: SP6 has been released by iPlanet. http://www.iplanet.com/support/iws-alert/index.html Just to clarify this once again... The latest versions of the iPlanet web servers products are : iPlanet Web Server Enterprise Edition 4.0 Service Pack 6 iPlanet Web Server Enterprise Edition 4.1 Service Pack 5 ie, Service pack 6 for Netscape 4.1 has _not_ been released. Both 4.0SP6 and 4.1SP5 were relased just under 2 months ago. Scott
Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications
3) The note about Service Pack levels for iPlanet Enterprise 4.1 in Peter Gruendl's "Netscape Enterprise Server Dot-Dot DoS" was somewhat confusing. The iPlanet URL he refers to correctly states that the latest supported iPlanet Web servers[0] are 4.0sp6 and 4.1sp5. 4.1sp6 has not been released or officially announced by iPlanet. To clarify on the note. I was told, by Netscape, that they could not reproduce the flaw that was found in their webserver, and that I would be better off installing Service Pack 6 for IWS4.1 (aka. Netscape Enterprise Server 4.1). They later admitted, that their testing was solely performed on Solaris and that two different people wrote the letter to me. Obviously one of them doesn't know which patch levels their own products are at. Later again, I got another email stating that they couldn't reproduce on Windows NT 4.0, SP6a. The reason I released it, even if the vendor has not been able to reproduce, is that we CAN reproduce this. It works on whatever Windows NT-based computer we install it on. We have tried Windows NT 4.0, SP6a, Windows 2000 Professional, Windows 2000 Server with or without SP1. They all crash in exactly the same way. The performed installation is a "next-next-finish" of the web server downloaded from the following location: http://www.iplanet.com/downloads/download/2011.html (that being the Windows NT version). To spell it out: Iplanet (Sun + Netscape) has not admitted that their product is flawed in any way, and as such they have not released any fix for the problem. Thus, it is very unlikely that the issue will be fixed in SP6 (when that is released). On the other hand, older versions does not appear to suffer from the same defect, so maybe they will (unknowningly) code their way out of it again? [0] All Netscape-branded Web server products, including Netscape Enterprise 3.6, have officially passed their end-of-life dates and are no longer supported. Where on earth did you get that? Try looking at the HTTP Server header for www.netscape.com :) Just because they label the web server Iplanet Web Server on the outside of the shiny box, doesn't mean the guts got any shinier. It's still NES and I can promise you V4.1SP5 is a supported version. Peter Grndl Defcom Security
iPlanet FastTrack/Enterprise 4.1 DoS clarifications
Regarding Peter Guendl's discovery of DoS attacks against iWS 4.1: 1) Peter G. reports that disabling the cache with cache-init is not an effective workaround for the FastTrack problem. 2) I wrote that iWS 4.1 has "at least one huge hole (remote code execution via SSL/TLS implementation bug)". Another reader has pointed out that the SSL/TLS problem was announced as a Denial of Service vulnerability. 3) The note about Service Pack levels for iPlanet Enterprise 4.1 in Peter Gruendl's "Netscape Enterprise Server Dot-Dot DoS" was somewhat confusing. The iPlanet URL he refers to correctly states that the latest supported iPlanet Web servers[0] are 4.0sp6 and 4.1sp5. 4.1sp6 has not been released or officially announced by iPlanet. Thanks, -Peter [0] All Netscape-branded Web server products, including Netscape Enterprise 3.6, have officially passed their end-of-life dates and are no longer supported.
Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications
SP6 has been released by iPlanet. http://www.iplanet.com/support/iws-alert/index.html Karubin -Original Message- From: Peter W [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 24, 2001 5:35 AM To: [EMAIL PROTECTED] Subject: iPlanet FastTrack/Enterprise 4.1 DoS clarifications Regarding Peter Guendl's discovery of DoS attacks against iWS 4.1: 1) Peter G. reports that disabling the cache with cache-init is not an effective workaround for the FastTrack problem. 2) I wrote that iWS 4.1 has "at least one huge hole (remote code execution via SSL/TLS implementation bug)". Another reader has pointed out that the SSL/TLS problem was announced as a Denial of Service vulnerability. 3) The note about Service Pack levels for iPlanet Enterprise 4.1 in Peter Gruendl's "Netscape Enterprise Server Dot-Dot DoS" was somewhat confusing. The iPlanet URL he refers to correctly states that the latest supported iPlanet Web servers[0] are 4.0sp6 and 4.1sp5. 4.1sp6 has not been released or officially announced by iPlanet. Thanks, -Peter [0] All Netscape-branded Web server products, including Netscape Enterprise 3.6, have officially passed their end-of-life dates and are no longer supported.