>From the readme file, the 8.1.7.4.7. patch for win32 only contains one item over and above 8.1.7.4.6:
par Bug Base Bug Category Description \par ----- -------- -------- ----------------------------------------------- \par 2790160 2787968 NET INAPPROPRIATE MESSAGE ON ERROR CONDITION \par THAT SHOULD NEVER OCCUR \par Patrice Boivin Systems Analyst (Oracle Certified DBA) Systems Admin & Operations | Admin. et Exploit. des systèmes Technology Services | Services technologiques Informatics Branch | Direction de l'informatique Maritimes Region, DFO | Région des Maritimes, MPO E-Mail: [EMAIL PROTECTED] -----Original Message----- Sent: Friday, February 14, 2003 2:53 PM To: Multiple recipients of list ORACLE-L Inte Hi. I've been on digest mode on this list for quite awhile. When I received the alert from Oracle this morning, I set the list to NODIGEST. I'm just now receiving emails realtime. I'm sure that this subject was already covered on the list today, so I apologize in advance for posting a probably redundant subject. Does anyone know if the fix for the bug #2620726 covered in alert #51 is included in 8.1.7.4.7? It is not mentioned in the readme. Does anyone aware of a known exploit existing for this vulnerability? I have scanned the following sites, but found no annoucements except for those released by Oracle. http://metalink.oracle.com alerts 48-52 http://otn.oracle.com/deploy/security/alerts.htm alerts 48-52 http://www.securityfocus.com/ 2/14/2003 1:02:12 PM nothing http://www.cert.org 2/14/2003 1:02:53 PM nothing http://www.sans.org 2/14/2003 1:04:19 PM nothing http://www.appsecinc.com/resources/alerts/oracle/ 2/14/2003 1:20:23 PM nothing http://www.treachery.net/ 2/14/2003 1:43:18 PM nothing http://online.securityfocus.com/archive/1 2/14/2003 1:44:04 PM nothing http://www.rootprompt.org/ 2/14/2003 1:45:24 PM nothing http://razor.bindview.com/ 2/14/2003 1:47:03 PM nothing http://www.packetstormsecurity.org/ 2/14/2003 1:47:40 PM nothing (I've been away from the grey/black hat sites for a long time). >From the readme for 8.1.7.4.7: (only one entry) ============================================================================ ======= Bug fixes included in this patch ------------------------------- <8.1.7.4.7> Bug Base Bug Category Description ----- -------- -------- ----------------------------------------------- 2790160 2787968 NET INAPPROPRIATE MESSAGE ON ERROR CONDITION THAT SHOULD NEVER OCCUR <8.1.7.4.6> ============================================================================ ======= ============================================================================ ======= Oracle Security Alert #51 Dated: 11 February 2003 Severity: 1 Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server Description A potential security vulnerability has been discovered in the ORACLE.EXE binary of Oracle9i Database. A knowledgeable and malicious user can potentially execute arbitrary code by exploiting a buffer overflow in this binary. Note that this exploit can manifest only when using a client application that does not place proper limits on the size of data sent to the server. Products Affected Oracle9i Database Release 2, Oracle9i Database Release 1, Oracle8i Database v 8.1.7, Oracle Database v 8.0.6. Platforms Affected All platforms. Patch Information Oracle has fixed the potential security vulnerability identified above under the base bug number 2620726. Future releases of the Oracle Database Server will contain the fix by default. This potential security vulnerability is fixed in the last patchset level for each database release on all platforms. It will be available in the Oracle9i Database Release 2 v 9.2.0.3 patchset. It is available on Oracle9i Database Release 2 v 9.2.0.2, on Oracle9i Database Release 1 v 9.0.1.4 and on Oracle8i Database v 8.1.7.4. It is available for Oracle8 Database v 8.0.6 on demand. Download currently available patches from Oracle Support Services web site, MetaLink (http://metalink.oracle.com). Activate the Patches button to get to the patches web page. Enter Bug Number 2620726 as indicated above and activate the Go button. Please review MetaLink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable. Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch. ============================================================================ ======= I am most concerned that if an exploit is in the wild for this vulnerability that a compromise could easily occur. If no exploit is loose, I can have a nice weekend and pick this up next week. :) thanks much, Paul Paul Drake DBA/SysAdmin Encoda Systems, Agency Solutions mailto:[EMAIL PROTECTED] "This information in this e-mail is intended solely for the addressee and may contain information which is confidential or privileged. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please notify the sender that you have received this e-mail in error, and delete the copy you received." -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Drake, Paul INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Boivin, Patrice J INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
