Re: 3 new Oracle security advisories just released

Pete Finnigan <plsql_at_petefinnigan.com> wrote in message news:<z$BMXoBrIRNARxuQ_at_peterfinnigan.demon.co.uk>...
> Hi everyone,
>
> I just noticed that Oracle have released three new security advisories
> covering the database server 9iR1 and 9iR2 and also the application
> server 9iR1, 9iR2 and earlier. Interestingly in alert #63 Alex Kornbrust
> has found 11 bugs in 9i lite 5. I have added an alerts page to my site
> and linked to Oracles advisories and also the discoverers advisories -
> for anyone who is interested the links can be found at
>
> http://www.petefinnigan.com/alerts.htm
>
> Interestingly Oracles alerts page includes a note in red saying that the
> email subscription service is suspended and directs people to metalink
> instead.
>
> hope people find this useful.
>
> kind regards
>
> Pete

Hi Pete.

> hope people find this useful.

Useful? That depends upon how you look at it. :) "useful" would make our job easier, not make more work Thanks much for the posting here, and on the ORACLE-L list.

So far, I haven't needed to apply any of the post 9.2.0.4 patchsets. I've cured myself of compulsive patching disorder (sorry, Gaja). Finished up with win32 hotfixes last night, and now were back to patching Oracle software. Guess those days of vacation time that are use 'em or lose 'em by 01-Apr aren't going to get used up this month. So much for a 3 day weekend.

I was hoping to be able to hold off patching until 9.2.0.5. Security Alert #64 appears serious enough, so 9.2.0.4 patch 3, p3280131_9204_WINNT, appears to be a requirement.

Do you have any info as to what exactly is vulnerable, say a bypass of sys_privs or obj_privs?

thanks,

Paul Received on Thu Feb 19 2004 - 21:58:39 CST