• United States

Bug Alert: Oracle fixes

Feb 20, 20035 mins
NetworkingOraclePatch Management Software

* Patches from Oracle, Debian, Mandrak Linux, others * Good news: no new viruses to report today * System break-in nets info on 5.6 million credit cards, and other interesting reading

Today’s bug patches and security alerts:

Oracle fixes database, application server flaws

Oracle is patching four security flaws in its database software and two in its application server, the most serious of which could allow an attacker to take complete control of a system running the software, experts warned. IDG News Service, 02/18/03.


CERT advisory:

Oracle advisories:

Buffer Overflow in DIRECTORY parameter of Oracle9i Database Server

Buffer Overflow in TZ_OFFSET function of Oracle9i Database Server

Buffer  Overflow  in TO_TIMESTAMP_TZ function of Oracle9i Database Server

Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server

Two Vulnerabilities in Oracle9i Application Server


More PHP fixes available

As we reported in our last issue, a serious security vulnerability PHP’s CGI SAPI. A remote attacker could exploit the flaw to trick the PHP engine to run arbitrary code on the affected machine. Not other SAPI module is flawed. For more, go to:






Debian releases updated CUPS patch

A previous patch for Debian’s CUPS implementation resulted in an incorrect library dependency. Debian’s got a new patch that fixes the problem. For more, go to:


More w3m packages

Two cross-scripting flaws have been found in the w3m packages for many Linux flavors. The problems have been fixed in the latest release of the w3m packages. For more, go to:




Gentoo patches syslinux

A flaw in previous versions of the syslinux’s installer required root privileges. This is not necessary. A new version fixes this issue. For more, go to:

Gentoo releases mailman fix

A cross scripting flaw has been found in Version 2.1 of mailman for Gentoo. Version 2.1.1 fixes the flaw. For more, go to:

Gentoo patches nethack game

A buffer overflow in the nethack game package for Gentoo could be exploited to gain elevated privileges. A patch is available. For more, go to:


OpenPKG releases Lynx patch

A CRLF injection vulnerability exists in the text-only Lynx browser that could allow the browser to be redirected to a malicious Web site. For more, go to:

OpenPKG updates dhcpd packages

A flaw in dhcpd was not completely patched during a previous round of updates. A new advisory is available with workarounds and a new update. For more, go to:

OpenPKG patches openssl

A flaw in the openssl package for OpenPKG could allow TSL/SSL communications to be passed in plain text. For more on the patch, go to:


Mandrake Linux patches apcupsd

A remote root vulnerability has been found in the apcupsd code. A fix is available that also includes some other enhancements. Mandrake Linux users can get more information from:

Mandrake Linux releases fix for pam_xauth

A flaw in the pam_xauth authorization module could allow a unprivileged user to gain root privileges on the affected machine. There’s a very small window in which this exploit could be used, but nonetheless, there is a flaw. For more, go to:


SuSE patches imp

A flaw in the popular imp Web-based mail system can be exploited to access the underlying database without authentication. Another flaw could be exploited to run arbitrary shell commands. For more, go to:


Today’s roundup of virus alerts:

A rarity: No new viruses to report today.


From the interesting reading department:

System break-in nets info on 5.6 million credit cards

A computer hacker, or hackers, has gained access to the credit card numbers of as many as 5 million credit card customers. Information was stolen from more than 2.2 million MasterCard International accounts and approximately 3.4 million Visa USA cardholder accounts, according to those companies. IDG News Service, 02/18/03.

New security device locks down ‘Net connected apps

Teros, formerly Stratum8 Networks, Tuesday announced Version 2.0 of its Teros-100 Application Protection System, a security appliance designed to protect applications connected to the Internet against cyberattacks. IDG News Service, 02/19/03.

Intel, Check Point team on mobile security

A new multiyear agreement between Check Point and Intel will couple Check Point’s remote access software with Intel’s new Centrino mobile computing technology. IDG News Service, 02/19/03.

TruSecure acquires Vigilinx

The managed security services field narrowed on Tuesday, as TruSecure announced that it had acquired Vigilinx for an undisclosed sum. IDG News Service, 02/18/03.



We’re keen on keeping you up to date and one way we do that is via our always updating archive: