OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aaron C. Newman (aaronnewman-family.com)
Date: Fri Jun 29 2001 - 20:07:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Word from Oracle product management is that the patch was out and then
    shortly withdrawn due to other problems it caused.

    From the Oracle website:

    ID:725260 Patch::1656431 Patch Obsoleted
    CORRUPTED ORACLE NET PACKET HEADER CAUSES LISTENER TO CORE DUMP

    This patch is obsolete. Please see the reason stated below. If a replacement
    patch is not mentioned, contact Oracle Support for help.

    Reason for Obsolescence
    This patch is being withdrawn because of a regression of bug 1654631 which
    is fixed as bug 1814117 . The patch will be made available again with the
    new fix included as soon as possible.

    You can register to recieve an email of when and where the patch is released
    by following this link and submitting your email address:
    http://www.appsecinc.com/resources/mailinglist.html

    Thank you,
    Aaron C. Newman
    CTO/Founder
    Application Security, Inc.
    212-490-6022
    anewmanappsecinc.com
    www.appsecinc.com
    -Protection Where It Counts-

    -----Original Message-----
    From: bugtraq-return-673-aaron=newman-family.comsecurityfocus.com
    [mailto:bugtraq-return-673-aaron=newman-family.comsecurityfocus.com]On
    Behalf Of Jeffrey M. Smith
    Sent: Friday, June 29, 2001 12:54 PM
    To: COVERT Labs; bugtraqsecurityfocus.com
    Subject: RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener

    > o Resolution
    >
    > Oracle has produced a patch under bug number 1489683 which is
    > available for download from the Oracle Worldwide Support Services
    > web site, Metalink (http://metalink.oracle.com) for the platforms
    > identified in this advisory. The patch is in production for all
    > supported releases of the Oracle Database Server.

    It may be premature to say there is a resolution to this problem or the
    other reported problem ([COVERT-2001-03] Oracle 8i SQLNet Header
    Vulnerability). I have searched the metalink site for several hours trying
    to find a bug report that references either of these problems or the
    patches, to no avail. I've also searched for the patch on Oracle's ftp
    server ftp-oracle.oracle.com, also without success. There are at least 3
    articles posted to the internal metalink networking forum from Oracle users
    who haven't been able to locate the patches.

    I have opened a "TAR" with Oracle to request the patches, but has anyone
    been able to locate either of these patches or the corresponding bug reports
    on metalink?

    Jeff Smith, Purdue University