OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aaron C. Newman (aaronnewman-family.com)
Date: Fri Jun 29 2001 - 18:06:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I also could not locate a patch or even a reference to the bug id either.

    There is a little bit of disparity between the Covert and the Oracle
    advisories. Oracle currently claims they are in the process of backporting.
    Having dealt with Oracle in the past on issues such as this, they have alot
    of work backporting to all the different platforms and versions, so it
    typically takes them quite sometime to patch this stuff.

    From the Covert release:
    Oracle has produced a patch under bug number 1489683 which is available for
    download .....

    From the Oracle release:
    Oracle has fixed this vulnerability in Oracle9i. Oracle is in the process of
    backporting the fix to supported Oracle8i database server and Release 8.1.7
    and 8.1.6 ......

    I will attempt to contact the security product manager over there and let
    everyone know if I find anything out.

    Aaron C. Newman
    CTO/Founder
    Application Security, Inc.
    212-490-6022
    anewmanappsecinc.com
    www.appsecinc.com
    -Protection Where It Counts-

    -----Original Message-----
    From: bugtraq-return-673-aaron=newman-family.comsecurityfocus.com
    [mailto:bugtraq-return-673-aaron=newman-family.comsecurityfocus.com]On
    Behalf Of Jeffrey M. Smith
    Sent: Friday, June 29, 2001 12:54 PM
    To: COVERT Labs; bugtraqsecurityfocus.com
    Subject: RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener

    > o Resolution
    >
    > Oracle has produced a patch under bug number 1489683 which is
    > available for download from the Oracle Worldwide Support Services
    > web site, Metalink (http://metalink.oracle.com) for the platforms
    > identified in this advisory. The patch is in production for all
    > supported releases of the Oracle Database Server.

    It may be premature to say there is a resolution to this problem or the
    other reported problem ([COVERT-2001-03] Oracle 8i SQLNet Header
    Vulnerability). I have searched the metalink site for several hours trying
    to find a bug report that references either of these problems or the
    patches, to no avail. I've also searched for the patch on Oracle's ftp
    server ftp-oracle.oracle.com, also without success. There are at least 3
    articles posted to the internal metalink networking forum from Oracle users
    who haven't been able to locate the patches.

    I have opened a "TAR" with Oracle to request the patches, but has anyone
    been able to locate either of these patches or the corresponding bug reports
    on metalink?

    Jeff Smith, Purdue University