Updated September 11, 2003
On August 22, 2003 RealNetworks reported
that Helix Universal Server 9 and earlier versions (RealSystem Server 8, 7 and
RealServer G2) were vulnerable to a root exploit when certain types of character
strings appeared in large numbers within URLs destined for the Server's protocol
parsers. RealNetworks Proxy products were not vulnerable to this exploit.
Affected Software:
Helix Universal Server 9.01, versions 9.0.2.794 and earlier
RealSystem Server 8.0 & 7.0
Solution:
Customers are encouraged to upgrade their Server software to the latest version
which contains a security patch. On September 10, 2003 RealNetworks publicly
released new installation binaries that guard against improperly formed URL
from causing a buffer overrun within data structures that store resources
file names within the Server.
Helix Server customers are encouraged to upgrade to the latest version of
the Helix Universal Server. This will require reinstallation of the software,
however, all existing configuration settings (rmserver.cfg file) will function
without modification with this new build. (see notes below). Any previously
provided and current (non-expired) 9.0.x product license will enable this
upgrade.
To preserve the Helix configuration file: The rmserver.cfg file will be
renamed "rmserver.cfg.bak" by the installer, and a new rmserver.cfg
file will be installed. In order to maintain your previous Helix Server configurations,
you should rename or discard the newly installed "rmserver.cfg"
file, and rename "rmserver.cfg.bak" to "rmserver.cfg".
Execute or restart the Helix Server to read this configuration information.
All actively supported Helix Universal Server platforms are available:
The latest version is:
Helix Universal Server 9.01 Security Update
Version: 9.0.2.802
Platform and configuration support details are available at
http://www.realnetworks.com/resources/contentdelivery/server/recommended_platforms.html
If you are an Server 8.0x customer, please contact
Customer Service. Server 7, 6 and G2 are not supported servers and have
not been patched. Please contact sales or Customer Service for information
about upgrading.
Acknowledgement:
RealNetworks wishes to thank those who posted information about this problem
on http://www.securityfocus.com/.
Warranty:
While RealNetworks endeavors to provide you with the highest quality products
and services, we cannot guarantee and do not warrant that the operation of
any RealNetworks product will be error-free, uninterrupted or secure. See
your original license agreement for details of our limited warranty or warranty
disclaimer.
|