Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle alert #51 - is bug fix in 8.1.7.4.7 for win32 (W2K on

RE: Oracle alert #51 - is bug fix in 8.1.7.4.7 for win32 (W2K on

From: Boivin, Patrice J <BoivinP_at_mar.dfo-mpo.gc.ca>
Date: Mon, 17 Feb 2003 05:18:38 -0800
Message-ID: <F001.0054F343.20030217051838@fatcity.com>


If there is a patchset 7 for win32, I am missing 6 patchsets for that OS.

NT 4 is at SP6a, I don't suppose they meant NT 4 SP7 because Microsoft already stated there will not be one.

Patrice Boivin
Systems Analyst (Oracle Certified DBA)

Systems Admin & Operations | Admin. et Exploit. des systèmes
Technology Services        | Services technologiques
Informatics Branch         | Direction de l'informatique 
Maritimes Region, DFO      | Région des Maritimes, MPO

E-Mail: boivinp_at_mar.dfo-mpo.gc.ca

-----Original Message-----
Sent: Friday, February 14, 2003 4:39 PM
To: Multiple recipients of list ORACLE-L on

Patrice,

Thanks for replying.

Others replied stating that the fix for bug 2620726 is not in 8.1.7.4.7. In the Alert #51 body, it listed that the patch was planned to be in Patch Set 7 for Win32.
There is some confusion, at least as far as I am concerned, as to whether 8.1.7.4.7 is patch set 7 or not.
Apparently, patch_set_7 != '8.1.7.4.7', at least for Win32.

The good news then, is no patches to be applied this weekend. Yeah!

Paul

-----Original Message-----
Sent: Friday, February 14, 2003 3:09 PM
To: Multiple recipients of list ORACLE-L on Inte

>From the readme file, the 8.1.7.4.7. patch for win32 only contains one item
over and above 8.1.7.4.6:

par Bug Base Bug Category Description \par ----- -------- --------


\par 2790160  2787968   NET      INAPPROPRIATE MESSAGE ON ERROR CONDITION
\par                             THAT SHOULD NEVER OCCUR
\par 

Patrice Boivin
Systems Analyst (Oracle Certified DBA)

Systems Admin & Operations | Admin. et Exploit. des systèmes
Technology Services        | Services technologiques
Informatics Branch         | Direction de l'informatique 
Maritimes Region, DFO      | Région des Maritimes, MPO

E-Mail: boivinp_at_mar.dfo-mpo.gc.ca

-----Original Message-----
Sent: Friday, February 14, 2003 2:53 PM
To: Multiple recipients of list ORACLE-L Inte

Hi.

I've been on digest mode on this list for quite awhile. When I received the alert from Oracle this morning, I set the list to NODIGEST.
I'm just now receiving emails realtime.

I'm sure that this subject was already covered on the list today, so I apologize in advance for posting a probably redundant subject.

Does anyone know if the fix for the bug #2620726 covered in alert #51 is included in 8.1.7.4.7?
It is not mentioned in the readme.

Does anyone aware of a known exploit existing for this vulnerability? I have scanned the following sites, but found no annoucements except for those released by Oracle.

http://metalink.oracle.com
alerts 48-52
http://otn.oracle.com/deploy/security/alerts.htm alerts 48-52

http://www.securityfocus.com/					2/14/2003
1:02:12 PM		nothing
http://www.cert.org						2/14/2003
1:02:53 PM		nothing
http://www.sans.org						2/14/2003
1:04:19 PM		nothing
http://www.appsecinc.com/resources/alerts/oracle/	2/14/2003 1:20:23 PM
nothing
http://www.treachery.net/					2/14/2003
1:43:18 PM		nothing
http://online.securityfocus.com/archive/1			2/14/2003
1:44:04 PM		nothing
http://www.rootprompt.org/					2/14/2003
1:45:24 PM		nothing
http://razor.bindview.com/					2/14/2003
1:47:03 PM		nothing
http://www.packetstormsecurity.org/				2/14/2003
1:47:40 PM		nothing


(I've been away from the grey/black hat sites for a long time).

>From the readme for 8.1.7.4.7: (only one entry)



Bug fixes included in this patch



<8.1.7.4.7>

Bug Base Bug Category Description

-----    -------- --------  -----------------------------------------------
2790160  2787968   NET      INAPPROPRIATE MESSAGE ON ERROR CONDITION
                            THAT SHOULD NEVER OCCUR

<8.1.7.4.6>





Oracle Security Alert #51
Dated: 11 February 2003
Severity: 1

Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server

Description
A potential security vulnerability has been discovered in the ORACLE.EXE binary of Oracle9i Database. A knowledgeable and malicious user can potentially execute arbitrary code by exploiting a buffer overflow in this binary.

Note that this exploit can manifest only when using a client application that does not place proper limits on the size of data sent to the server.

Products Affected
Oracle9i Database Release 2, Oracle9i Database Release 1, Oracle8i Database v 8.1.7, Oracle Database v 8.0.6.

Platforms Affected
All platforms.

Patch Information
Oracle has fixed the potential security vulnerability identified above under the base bug number 2620726. Future releases of the Oracle Database Server will contain the fix by default.

This potential security vulnerability is fixed in the last patchset level for each database release on all platforms. It will be available in the Oracle9i Database Release 2 v 9.2.0.3 patchset. It is available on Oracle9i Database Release 2 v 9.2.0.2, on Oracle9i Database Release 1 v 9.0.1.4 and on Oracle8i Database v 8.1.7.4. It is available for Oracle8 Database v 8.0.6 on demand.

Download currently available patches from Oracle Support Services web site, MetaLink (http://metalink.oracle.com). Activate the Patches button to get to the patches web page. Enter Bug Number 2620726 as indicated above and activate the Go button.

Please review MetaLink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable.

Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch.



I am most concerned that if an exploit is in the wild for this vulnerability that a compromise could easily occur. If no exploit is loose, I can have a nice weekend and pick this up next week. :)

thanks much,

Paul

Paul Drake
DBA/SysAdmin
Encoda Systems, Agency Solutions
mailto:paul.drake_at_encodasystems.com

"This information in this e-mail is intended solely for the addressee and may contain information which is confidential or privileged. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please notify the sender that you have received this e-mail in error, and delete the copy you received."

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Drake, Paul
  INET: Paul.Drake_at_encodasystems.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Boivin, Patrice J
  INET: BoivinP_at_mar.dfo-mpo.gc.ca

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


"This information in this e-mail is intended solely for the addressee and
may contain information which is confidential or privileged.  Access to this
e-mail by anyone else is unauthorized.  If you are not the intended
recipient, or believe that you have received this communication in error,
please do not print, copy, retransmit, disseminate, or otherwise use the
information. Also, please notify the sender that you have received this
e-mail in error, and delete the copy you received."

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Drake, Paul
  INET: Paul.Drake_at_encodasystems.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Boivin, Patrice J
  INET: BoivinP_at_mar.dfo-mpo.gc.ca

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Feb 17 2003 - 07:18:38 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US