Bugtraq mailing list archives

RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener

From: "Aaron C. Newman" <aaron () newman-family com>
Date: Fri, 29 Jun 2001 21:07:26 -0400

Word from Oracle product management is that the patch was out and then
shortly withdrawn due to other problems it caused.

From the Oracle website:



ID:725260 Patch::1656431  Patch Obsoleted
CORRUPTED ORACLE NET PACKET HEADER CAUSES LISTENER TO CORE DUMP

This patch is obsolete. Please see the reason stated below. If a replacement
patch is not mentioned, contact Oracle Support for help.

Reason for Obsolescence
This patch is being withdrawn because of a regression of bug 1654631 which
is fixed as bug 1814117 . The patch will be made available again with the
new fix included as soon as possible.



You can register to recieve an email of when and where the patch is released
by following this link and submitting your email address:
http://www.appsecinc.com/resources/mailinglist.html


Thank you,
Aaron C. Newman
CTO/Founder
Application Security, Inc.
212-490-6022
anewman () appsecinc com
www.appsecinc.com
-Protection Where It Counts-


-----Original Message-----
From: bugtraq-return-673-aaron=newman-family.com () securityfocus com
[mailto:bugtraq-return-673-aaron=newman-family.com () securityfocus com]On
Behalf Of Jeffrey M. Smith
Sent: Friday, June 29, 2001 12:54 PM
To: COVERT Labs; bugtraq () securityfocus com
Subject: RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener

o Resolution

Oracle has produced a patch under bug number 1489683 which is
available for download from the Oracle Worldwide Support Services
web site, Metalink (http://metalink.oracle.com) for the platforms
identified in this advisory. The patch is in production for all
supported releases of the Oracle Database Server.


It may be premature to say there is a resolution to this problem or the
other reported problem ([COVERT-2001-03] Oracle 8i SQLNet Header
Vulnerability). I have searched the metalink site for several hours trying
to find a bug report that references either of these problems or the
patches, to no avail. I've also searched for the patch on Oracle's ftp
server ftp-oracle.oracle.com, also without success. There are at least 3
articles posted to the internal metalink networking forum from Oracle users
who haven't been able to locate the patches.

I have opened a "TAR" with Oracle to request the patches, but has anyone
been able to locate either of these patches or the corresponding bug reports
on metalink?

Jeff Smith, Purdue University

Current thread:

RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Aaron C. Newman (Jul 02)
- <Possible follow-ups>
- RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Aaron C. Newman (Jul 02)
  - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Jair Pedro (Jul 07)
    - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Martin Macok (Jul 12)
    - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Jair Pedro (Jul 15)
    - Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener ian stanley (Jul 15)
    - RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Aaron C. Newman (Jul 16)
- Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener Dennis W. Mattison (Jul 13)