lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.53.0307251258460.4530@rhiannon.precision-guesswork.com>
Date: Fri, 25 Jul 2003 12:59:20 -0700 (PDT)
From: Tina Bird <tbird@...cision-guesswork.com>
To: bugtraq@...urityfocus.com
Subject: question about oracle advisory



Oracle's released three security-related patches today.  I'm trying to
get my head around them to write up a Stanford Security Alert, but
there's conflicting information.  According to
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf the buffer
overflow in the EXTPROC code can only be triggered by an authenticated
user with the CREATE LIBRARY or CREATE ANY LIBRARY privilege.

According to the NGSSoftware advisory that announced the vulnerability,
the buffer overflow can be exploited without any authentication or
privilege-checking.

Anyone have any ideas?

thanks -- tbird

--
A computer lets you make more mistakes faster than any invention in human
history - with the possible exception of handguns and tequila.

                                 -- Mitch Ratliff

http://www.precision-guesswork.com
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ