Bugtraq mailing list archives

RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener

From: "Aaron C. Newman" <aaron () newman-family com>
Date: Fri, 29 Jun 2001 19:06:11 -0400

I also could not locate a patch or even a reference to the bug id either.

There is a little bit of disparity between the Covert and the Oracle
advisories. Oracle currently claims they are in the process of backporting.
Having dealt with Oracle in the past on issues such as this, they have alot
of work backporting to all the different platforms and versions, so it
typically takes them quite sometime to patch this stuff.

From the Covert release:

Oracle has produced a patch under bug number 1489683 which is available for
download .....

From the Oracle release:

Oracle has fixed this vulnerability in Oracle9i. Oracle is in the process of
backporting the fix to supported Oracle8i database server and Release 8.1.7
and 8.1.6 ......

I will attempt to contact the security product manager over there and let
everyone know if I find anything out.

Aaron C. Newman
CTO/Founder
Application Security, Inc.
212-490-6022
anewman () appsecinc com
www.appsecinc.com
-Protection Where It Counts-

-----Original Message-----
From: bugtraq-return-673-aaron=newman-family.com () securityfocus com
[mailto:bugtraq-return-673-aaron=newman-family.com () securityfocus com]On
Behalf Of Jeffrey M. Smith
Sent: Friday, June 29, 2001 12:54 PM
To: COVERT Labs; bugtraq () securityfocus com
Subject: RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener

o Resolution

Oracle has produced a patch under bug number 1489683 which is
available for download from the Oracle Worldwide Support Services
web site, Metalink (http://metalink.oracle.com) for the platforms
identified in this advisory. The patch is in production for all
supported releases of the Oracle Database Server.


It may be premature to say there is a resolution to this problem or the
other reported problem ([COVERT-2001-03] Oracle 8i SQLNet Header
Vulnerability). I have searched the metalink site for several hours trying
to find a bug report that references either of these problems or the
patches, to no avail. I've also searched for the patch on Oracle's ftp
server ftp-oracle.oracle.com, also without success. There are at least 3
articles posted to the internal metalink networking forum from Oracle users
who haven't been able to locate the patches.

I have opened a "TAR" with Oracle to request the patches, but has anyone
been able to locate either of these patches or the corresponding bug reports
on metalink?

Jeff Smith, Purdue University

Current thread:

RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Aaron C. Newman (Jul 02)
- <Possible follow-ups>
- RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Aaron C. Newman (Jul 02)
  - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Jair Pedro (Jul 07)
    - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Martin Macok (Jul 12)
    - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Jair Pedro (Jul 15)
    - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener ian stanley (Jul 15)
    - RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Aaron C. Newman (Jul 16)
- Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Dennis W. Mattison (Jul 13)