Bugtraq mailing list archives
Re: Silently fixed security bugs in Oracle Critical Patch Update July 2005
From: "David Litchfield" <davidl () ngssoftware com>
Date: Fri, 15 Jul 2005 18:17:25 +0100
Hi Alex and all,
After reading the patch documentation and some tests with the CPU July 2005 I found out that Oracle fixed some security bugs silently without mention these bugs in their current risk matrix.Detailed information about most of these bugs are not available via Metalink but in many cases the description is sufficient for a malicious attacker (e.g. "/DAV_PUBLIC IS NOT PROTECTED BY DEFAULT ENABLING MALITIOUS USER TO FILL IT UP")For Mod_Oradav 9.0.2.3:2576249 - /DAV_PUBLIC IS NOT PROTECTED BY DEFAULT ENABLING MALITIOUS USER TO FILL IT UP2544464 - ORAALTPASSWORD SHOULD BE ENCRYPTED AND NOT JUST OBFUSCATED
I don't think this one was silently fixed - see http://www.securitytracker.com/alerts/2003/Feb/1006098.html
Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/
Current thread:
- Silently fixed security bugs in Oracle Critical Patch Update July 2005 ak (Jul 15)
- Re: Silently fixed security bugs in Oracle Critical Patch Update July 2005 David Litchfield (Jul 15)