Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Silently fixed security bugs in Oracle Critical Patch Update July 2005
From: "David Litchfield" <davidl () ngssoftware com>
Date: Fri, 15 Jul 2005 18:17:25 +0100

Hi Alex and all,

After reading the patch documentation and some tests with the CPU July 2005 I found out that Oracle fixed some security bugs silently without mention these bugs in their current risk matrix.

Detailed information about most of these bugs are not available via Metalink but in many cases the description is sufficient for a malicious attacker (e.g. "/DAV_PUBLIC IS NOT PROTECTED BY DEFAULT ENABLING MALITIOUS USER TO FILL IT UP")

For Mod_Oradav 9.0.2.3:
2576249 - /DAV_PUBLIC IS NOT PROTECTED BY DEFAULT ENABLING MALITIOUS USER TO FILL IT UP
2544464 - ORAALTPASSWORD SHOULD BE ENCRYPTED AND NOT JUST OBFUSCATED

I don't think this one was silently fixed - see http://www.securitytracker.com/alerts/2003/Feb/1006098.html

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault