Forum OpenACS Development: Heads up: Oracle Security announcement

1: Heads up: Oracle Security announcement

Posted by Talli Somekh on 12/09/03 07:21 PM

For those that haven't heard already, here is a security announcement for Oracle:

Oracle has issued an alert (PDF) detailing high risk security holes affecting all SSL products in the Oracle9i Application Server, the Oracle9i and Oracle8i Database Servers, and Oracle HTTP server. "Any client that is able to access the server may exploit the vulnerabilities," the company said in its alert.
The patches address security issues in OpenSSL that were outlined on our site last month, and originally published by NISCC on Sept. 30. Fixes for these problems are available in the latest versions of OpenSSL (0.9.6k and 0.9.7c).

OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a general purpose cryptography library.

Topically, the host involved in todays fraud attack on National Westminster was, according to the published Apache module line running a vulnerable version of OpenSSL.

2: Re: Heads up: Oracle Security announcement (response to 1)

Posted by Steve Manning on 12/10/03 12:12 AM

<blockquote>Topically, the host involved in todays fraud attack on National Westminster was, according to the published Apache module line running a vulnerable version of OpenSSL.<
</blockquote>

I got that one in my mailbox today. You have to admire the audacity of these guys. It amazes me that people fall for them, but then again I'm even more amazed that people fall for Nigerian 419 scams as well. The thing that gave it away to me (apart from not being a NatWest customer) was the line 'It's truly our pleasure to serve you'. Anyone who has had dealings with NatWest knows that's not true. A more realistic line would have been 'You have been charged £15 for this e-mail. Failure to respond will incur a charge of £25.' :o)

Steve