[Oracle under Linux is vulnerable -- Raju] This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Return-Path: <[EMAIL PROTECTED]> Approved-By: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <[EMAIL PROTECTED]> Reply-To: Oracle Security Alerts <[EMAIL PROTECTED]> Organization: Oracle Product Security Management From: Oracle Security Alerts <[EMAIL PROTECTED]> Sender: Bugtraq List <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Patch for Potential Vulnerability in Oracle XSQL Servlet Date: Tue, 23 Jan 2001 01:41:10 -0800 Patch for Potential Vulnerability in Oracle XSQL Servlet Description: A potential security vulnerability in Oracle XSQL Servlet has been discovered when using stylesheets as URL parameters which permits the execution of arbitrary Java code on the Oracle 8.1.7.0.0 database server with elevated privileges. This vulnerability was discovered in Oracle8i, Release 8.1.7.0.0, Enterprise Edition running Oracle Internet Application Server (iAS) and XSQL Servlet, Release 1.0.0.0, on MS Windows 2000. It also exists in XSQL releases 1.0.1.0 to 1.0.3.0 on all platforms. Solution: Oracle has corrected this vulnerability in the new release of XSQL Servlet as well as provided more secure behavior by default. The new release of XSQL Servlet, Release 1.0.4.0, can be obtained from Oracle Technology Network, OTN, http://otn.oracle.com/tech/xml/xsql_servlet. A patch will also be available in the upcoming Oracle8i, Release 8.1.7.1, patch set and available for use with iAS Release 1.0.2.1. Credits: Oracle Corporation wishes to thank Georgi Guninski for discovering this vulnerability and promptly bringing it to Oracle's attention. ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ ------------------------------------------------ The mailing list archives are available at http://lists.linux-india.org/cgi-bin/wilma/linux-delhi
