iPlanet Web Server 4.1 SP 4-7 Product Alert

["Santi Claus" <wurzelsepp201 () hotmail com>]

I've just detected a new Product Alert on iPlanets Web Site. I'm
sending this information because I was not able to find it in the
bugtraq archive yet. iPlanet does not seem to inform bugtraq
(why?). The information posted herein can be found in
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html.

======================================================================

Important iPlanet Web Server 4.1 SP 3-7
Product Alert:
Recommend Immediate Patch/Upgrade
 
May 11, 2001
Two vulnerabilities have been identified within iPlanet Web Server(iWS):


1) A manipulation of the HTTP request headers sent to iWS, Enterprise
Edition version 4.1 Service Packs 3 through 7 (iWS4.1sp3-7) can be
exploited as a Denial of Service attack against users of iWS4.1sp3-7
on the Microsoft Windows NT platform*.

2) A manipulation of the HTTP request headers sent to iWS or Netscape
Enterprise Server (NES) that have the Web Publisher feature enabled
can be exploited as a Denial of Service attack.

The risk from these attacks is completely eliminated by deployment of
the following NSAPI.   

aix_flexlog2.tgz
dec-osf1_flexlog2.tgz
hpux_flexlog2.tgz
linux_flexlog2.tgz
solaris_flexlog2.tgz
winnt_flexlog2.zip

While only installations of iWS4.1sp3-7 on Windows NT are
immediately vulnerable to this attack, all users of iWS4.1sp3-7 are
advised to install the NSAPI.   

======================================================================


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.