FYI, Oracle just issued a
new security alert today.
If any of you are running Oracle accessible over anything other than a
small LAN behind a good firewall, you probably want to grab the path
from Metalink right away. In part, Oracle's security bulletin says:
Alert #68: Oracle Security Update
Description:
This security alert addresses security vulnerabilities in Oracle's
server products.
Supported Products Affected:
- Oracle Database 10g Release 1, version 10.1.0.2
- Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
- Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, and 9.0.4
- Oracle8i Database Server Release 3, version 8.1.7.4
- Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
- Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
- Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
- Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
- Oracle9i Application Server Release 1, version 1.0.2.2
The following product releases and versions, and all future releases and versions are not affected:
- Oracle Database 10g Release 1, version 10.1.0.3
- Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet available)
- Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet available)
Unsupported products, releases and versions have not been tested for
the presence of these vulnerabilities, nor patched, in accordance with
section 4.3.3.3 of the Software Error Correction Support Policy:
Oracle Database Server Vulnerabilities:
The available patches eliminate vulnerabilities in the Database Server
and the Listener. The unpatched exposure risk is high; exploiting some
of these vulnerabilities requires network access, but no valid user
account.
[etc...] (Note that nowhere does it say what the
actual problem is, but presumably you could find that elsewhere if you
look.)
