Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent

[long () KESTREL CC UKANS EDU (Jeff Long)]

David Adrian wrote:
> John Ritchie wrote:
>
> > On Fri, 30 Apr 1999, Anthony Clarke wrote:
<snip>

> > So if you've installed Oracle's Intelligent Agent or aren't sure if it's
> > installed then check your oratclsh and fix that bit.  The only systems
> > I've had experience on are 8.0.5 for Solaris and Linux but I'd check any
> > 8.x release on any platform if it were mine.
<snip>

>     I patched my Linux version of oracle to 8.0.5.1.  When I checked for this
> vulnerability, the suid bit was not set, and the ownership of oratclsh was
> oracle.oracle.
>     So it seems likely that upgrading to 8.0.5.1 will fix the problem.  On Linux,
> this was necessary to fix many other nasty bugs anyway.

Well, I patched to 8.0.5.1 on Digital Unix a while ago and discovered on
Friday that oratclsh was still suid root so at least on my platform
8.0.5.1 did not solve the problem.

Jeff Long