Oracle's released three security-related patches today. I'm trying to get my head around them to write up a Stanford Security Alert, but there's conflicting information. According to http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf the buffer overflow in the EXTPROC code can only be triggered by an authenticated user with the CREATE LIBRARY or CREATE ANY LIBRARY privilege. According to the NGSSoftware advisory that announced the vulnerability, the buffer overflow can be exploited without any authentication or privilege-checking. Anyone have any ideas? thanks -- tbird -- A computer lets you make more mistakes faster than any invention in human history - with the possible exception of handguns and tequila. -- Mitch Ratliff http://www.precision-guesswork.com Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 13:31:39 PDT