Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle alert #51 - is bug fix in 8.1.7.4.7 for win32 (W2K on Inte

RE: Oracle alert #51 - is bug fix in 8.1.7.4.7 for win32 (W2K on Inte

From: Boivin, Patrice J <BoivinP_at_mar.dfo-mpo.gc.ca>
Date: Fri, 14 Feb 2003 12:09:24 -0800
Message-ID: <F001.0054E23B.20030214120924@fatcity.com> 





>From the readme file, the 8.1.7.4.7. patch for win32 only contains one item

over and above 8.1.7.4.6:



par Bug      Base Bug Category  Description
\par -----    -------- --------



\par 2790160  2787968   NET      INAPPROPRIATE MESSAGE ON ERROR CONDITION
\par                             THAT SHOULD NEVER OCCUR
\par 





Patrice Boivin


Systems Analyst (Oracle Certified DBA)


Systems Admin & Operations | Admin. et Exploit. des systèmes
Technology Services        | Services technologiques
Informatics Branch         | Direction de l'informatique 
Maritimes Region, DFO      | Région des Maritimes, MPO





E-Mail: boivinp_at_mar.dfo-mpo.gc.ca






-----Original Message-----


Sent: Friday, February 14, 2003 2:53 PM


To: Multiple recipients of list ORACLE-L
Inte




Hi.



I've been on digest mode on this list for quite awhile.
When I received the alert from Oracle this morning, I set the list to
NODIGEST.



I'm just now receiving emails realtime.



I'm sure that this subject was already covered on the list today, so I
apologize in advance for posting a probably redundant subject.



Does anyone know if the fix for the bug #2620726 covered in alert #51 is
included in 8.1.7.4.7?


It is not mentioned in the readme.



Does anyone aware of a known exploit existing for this vulnerability?
I have scanned the following sites, but found no annoucements except for
those released by Oracle.



http://metalink.oracle.com


alerts 48-52


http://otn.oracle.com/deploy/security/alerts.htm		alerts 48-52



http://www.securityfocus.com/					2/14/2003
1:02:12 PM		nothing
http://www.cert.org						2/14/2003
1:02:53 PM		nothing
http://www.sans.org						2/14/2003
1:04:19 PM		nothing
http://www.appsecinc.com/resources/alerts/oracle/	2/14/2003 1:20:23 PM
nothing
http://www.treachery.net/					2/14/2003
1:43:18 PM		nothing
http://online.securityfocus.com/archive/1			2/14/2003
1:44:04 PM		nothing
http://www.rootprompt.org/					2/14/2003
1:45:24 PM		nothing
http://razor.bindview.com/					2/14/2003
1:47:03 PM		nothing
http://www.packetstormsecurity.org/				2/14/2003
1:47:40 PM		nothing






(I've been away from the grey/black hat sites for a long time).



>From the readme for 8.1.7.4.7: (only one entry)









Bug fixes included in this patch




<8.1.7.4.7>



Bug      Base Bug Category  Description

-----    -------- --------  -----------------------------------------------
2790160  2787968   NET      INAPPROPRIATE MESSAGE ON ERROR CONDITION
                            THAT SHOULD NEVER OCCUR





<8.1.7.4.6>













Oracle Security Alert #51


Dated: 11 February 2003


Severity: 1



Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server



Description


A potential security vulnerability has been discovered in the ORACLE.EXE
binary of Oracle9i Database.  A knowledgeable and malicious user can
potentially execute arbitrary code by exploiting a buffer overflow in this
binary.



Note that this exploit can manifest only when using a client application
that does not place proper limits on the size of data sent to the server.



Products Affected


Oracle9i Database Release 2, Oracle9i Database Release 1, Oracle8i Database
v 8.1.7, Oracle Database v 8.0.6.



Platforms Affected


All platforms.



Patch Information


Oracle has fixed the potential security vulnerability identified above under
the base bug number 2620726.  Future releases of the Oracle Database Server
will contain the fix by default.



This potential security vulnerability is fixed in the last patchset level
for each database release on all platforms.  It will be available in the
Oracle9i Database Release 2 v 9.2.0.3 patchset.  It is available on Oracle9i
Database Release 2 v 9.2.0.2, on Oracle9i Database Release 1 v 9.0.1.4 and
on Oracle8i Database v 8.1.7.4.  It is available for Oracle8 Database v
8.0.6 on demand.



Download currently available patches from Oracle Support Services web site,
MetaLink (http://metalink.oracle.com). Activate the Patches button to get to
the patches web page.  Enter Bug Number 2620726 as indicated above and
activate the Go button.



Please review MetaLink, or check with Oracle Support Services periodically
for patch availability if the patch for your platform is unavailable.



Oracle strongly recommends that you comprehensively test the stability of
your system upon application of any patch prior to deleting any of the
original file(s) that are replaced by the patch.








I am most concerned that if an exploit is in the wild for this vulnerability
that a compromise could easily occur. If no exploit is loose, I can have a
nice weekend and pick this up next week. :)



thanks much,



Paul



Paul Drake


DBA/SysAdmin


Encoda Systems, Agency Solutions


mailto:paul.drake_at_encodasystems.com






"This information in this e-mail is intended solely for the addressee and
may contain information which is confidential or privileged.  Access to this
e-mail by anyone else is unauthorized.  If you are not the intended
recipient, or believe that you have received this communication in error,
please do not print, copy, retransmit, disseminate, or otherwise use the
information. Also, please notify the sender that you have received this
e-mail in error, and delete the copy you received."


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Drake, Paul
  INET: Paul.Drake_at_encodasystems.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Boivin, Patrice J
  INET: BoivinP_at_mar.dfo-mpo.gc.ca

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Feb 14 2003 - 14:09:24 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US