Forum OpenACS Q&A: Oracle Security Alert #68

FYI, Oracle just issued a new security alert today. If any of you are running Oracle accessible over anything other than a small LAN behind a good firewall, you probably want to grab the path from Metalink right away. In part, Oracle's security bulletin says:

Alert #68: Oracle Security Update

Description:

This security alert addresses security vulnerabilities in Oracle's server products.

Supported Products Affected:

• Oracle Database 10g Release 1, version 10.1.0.2
• Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
• Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, and 9.0.4
• Oracle8i Database Server Release 3, version 8.1.7.4
• Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
• Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
• Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
• Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
• Oracle9i Application Server Release 1, version 1.0.2.2

The following product releases and versions, and all future releases and versions are not affected:

• Oracle Database 10g Release 1, version 10.1.0.3
• Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet available)
• Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet available)
Unsupported products, releases and versions have not been tested for the presence of these vulnerabilities, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy:

Oracle Database Server Vulnerabilities:

The available patches eliminate vulnerabilities in the Database Server and the Listener. The unpatched exposure risk is high; exploiting some of these vulnerabilities requires network access, but no valid user account.

[etc...] (Note that nowhere does it say what the actual problem is, but presumably you could find that elsewhere if you look.)