RealNetworks Support: Security Issues

	Customer Support Home
RealPlayer Support
RealArcade Support
Helix Support
International Support
Firewall Support

Server, Proxy & Gateway zlib Compression Library Vulnerability

Updated: 30 September 2002

Versions of the zlib compression library earlier than 1.1.4 contain a potential security vulnerability that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. All RealNetworks Server, Proxy and Gateway products version 9.0.2.766 and prior link to this library when complied and are thus subject to the vulnerability.

Affected Software:

All versions of RealSystem Server 6.x, 7.x, 8.x
Helix Universal Server 9.0
Helix Universal Gateway 9.0 RealSystem Proxy 8.x and Helix Unversal Proxy 9.0

Solution:

Although at the time of this update, RealNetworks has received no reports that this vulnerability has been exploited in the field; we have made a security update available to all current Server, Proxy and Gateway customers.

On September 25, 2002 RealNetworks publicly released new installation binaries that contain software complied using a version of the zlib compression library that remedies this potential security vulnerability. This security update is available for all supported 9.0.x operating systems.

9.0 customers are encouraged to upgrade to the latest version of the Helix Universal Server, Proxy and Gateway for protection against this vulnerability. This upgrade requires a new installation. To perform the upgrade, download the self-extracting installation binary and follow the prompts. Any previously provided and current (non-expired) 9.0.x product license will enable this upgrade.

All actively supported Helix Unversal Server platforms are available:

Solaris 2.7

Solaris 2.8

Microsoft Windows NT 4.0 / Microsoft Windows 2000

Linux 2.4.18, glibc 2.2

HP UX 11.0 / HP UX 11.i

IBM AIX 4.3 / IBM AIX 5L

Compaq Tru64 5.1 / Compaq Tru64 5.1A

FreeBSD 4.0 / FreeBSD 4.5

All actively supported Helix Unversal Gateway platforms are available:

Solaris 2.7

Solaris 2.8

Microsoft Windows NT 4.0 / Microsoft Windows 2000

Linux 2.4.18, glibc 2.2

HP UX 11.0 / HP UX 11.i

IBM AIX 4.3 / IBM AIX 5L

Compaq Tru64 5.1 / Compaq Tru64 5.1A

All actively supported Helix Universal Proxy platforms are available:

Linux 2.0-libc6

Solaris 2.7

Solaris 2.8

Microsoft Windows NT 4.0 / Microsoft Windows 2000

IBM AIX 4.3

HP UX

Compaq Tru64 v5.1

See recommended platforms for platform and configuration support details. If you are an 8.x or 7.x customer, please telephone Customer Service.

Acknowledgement:

This vulnerability was found by RealNetworks Sales Engineering, Japan Office.

Warranty:

While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.