The latest quarterly Critical Patch Update for Oracle 10gR2 does not plug a hole that allows published attack code to run.
The recent Oracle exploit posted to Bugtraq (http://www.securityfocus.com/archive/1/431353) is actually an 0day and has no patch. The patch for 10g Release 2 for April 2006 Critical Patch Update does _not_ contain a fix for the specific flaw that the exploit takes advantage of. As it happens - this specific flaw was reported to Oracle on the 19th of February 2006.
This is according to David Litchfield.
Ok! Now what?
(via digg)
Possibly related:
- KeePass Password Safe
- Oracle Database Listener Security Guide
- Guess How Many Database Editions Oracle Has
- HTML DB
- links for 2007-01-19
Tagged patch, Security | Post a Comment


















Home > About This Post
This entry was posted by Eddie Awad on Thursday, April 27th, 2006, at 4:56 pm, and was filed in Oracle.
Subscribe to the
RSS 2.0 feed for all comments to this post.
Post a Comment