Existing Netscape Communicator/Navigator packages contain
the following vulnerabilities:
- Netscape Communicator JPEG-Comment Heap Overwrite Vulnerability
- executes arbitrary code in the comment field of a JPEG image
- Netscape Communicator/Navigator versions 4.0 through 4.73 are vulnerable
- Multiple Vendor Java Virtual Machine Listening Socket Vulnerability
- Netscape Communicator URL Read Vulnerability
- items 2 and 3 together are known as the "Brown Orifice" vulnerability
- can be exploited to expose the contents of your computer to anyone on the Internet, allowing to read files visible to the user running the browser
- Netscape Communicator/Navigator versions 4.0 through 4.74 are vulnerable
We recommend that users running Netscape Communicator/Navigator upgrade to
version 4.75. New packages are available in source form and for Intel ia32
machines running Debian 2.2 (potato). Note that the new packages will not
remove your existing Communicator/Navigator packages; you should manually
remove any older installed versions of Communicator/Navigator.
There are several ways to remove the netscape packages. A quick way to do so
is to run "apt-get remove netscape-base-473", substituting 473 with 406, 407,
408, 45, 451, 46, 461, 47, or 472 as needed. If you do not have apt-get, you
can run "dpkg --remove communicator-smotif-473 communicator-base-473
netscape-java-473 navigator-smotif-473 navigator-base-473", again substituting
any other versions you may have installed. You may also remove the packages
via dselect.
If you have "deb http://security.debian.org/ potato/updates main contrib
non-free" in /etc/apt/sources.list you can run "apt-get update ;
apt-get install communicator" to install the full communicator package
(including mail and news) or "apt-get update ; apt-get install
navigator" for the browser only. A typical manual install includes
communicator-smotif-475, communicator-base-475, netscape-base-475,
netscape-base-4, and netscape-java-475.
