lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <09cf01c37929$9ba97560$8d01010a@GLADIUS>
Date: Fri, 12 Sep 2003 13:30:10 +0100
From: "NGSSoftware Insight Security Research" <nisr@...tgenss.com>
To: <bugtraq@...urityfocus.com>, <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
	<vulnwatch@...nwatch.org>
Subject: Update to the Oracle EXTPROC advisory


Hello,
Please note that Oracle has updated the extproc buffer overrun advisory.
There was some confusion caused because the intial Oracle advisory stated
that a username and password were required to exploit the overflow which was
contrary to the results of our research; we concluded that no user ID or
password was necessary. Whilst I answered many of the mails querying this
discrepancy, for those that I did not have a chance to reply to, please
accept my apologies. The updated Oracle can be found here :
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf . In summary,
Oracle 9i Database Release 2, Oracle 9i Database Release 1 and Oracle 8i
Database (8.1.x) are all vulnerable and that "Risk to exposure is high, as a
valid username and password is not needed in all cases to exploit this
potential vulnerability."
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.nextgenss.com/
+44(0)208 401 0070

NGSSoftware's SQuirrel for Oracle, an advanced security audit tool for
Oracle, checks for these vulnerabilities. More information is available from
http://www.nextgenss.com/products/squirrelfororacle.htm .







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ