http://metalink.oracle.com/metalink/plsql/showDoc?db=NEW&id=215900.996 Oracle Security Alert #45 Dated: 04 October 2002 (Updated: 10 October 2002) Severity: 1 Security Release of Apache 1.3.27 Description Apache has released version 1.3.27 of its HTTP Server that contains fixes for the security vulnerabilities noted below and described at http://cve.mitre.org. The vulnerabilities that affect all of the supported versions of the Oracle HTTP Server (OHS) are: CAN-2002-0839: This is a security vulnerability involving System V shared memory based scoreboards. It can only occur on Oracle Linux and HP ports. Exploitation of this vulnerability requires that a malicious and knowledgeable user be able to run his programs on the server web site. As a few commercial web sites allow this, the vulnerability applies to few sites. If a malicious and knowledgeable user is able to run his own programs, the web site has more serious, unrelated security issues than the exploit of this vulnerability. CAN-2002-0840: This is a cross-site scripting vulnerability involving the default error 404 pages. It can occur on all Oracle database platforms. Exploitation of this vulnerability requires the use of wildcard DNS and the setting of UseCanonicalNames = OFF. CAN-2002-0843: There were potential buffer overflows in Apache Bench (ab) that could be exploited by a malicious server. Note that 'ab' is not in Apache itself but is an HTTP client utility used for generating load for performance testing. This vulnerability only occurs when the 'ab' load generating HTTP client, used for performance testing, is used against a malicious HTTP server. These security vulnerabilities are described in more detail at http://cve.mitre.org/ Product afftected OHS in Oracle Database Releases 8.1.7.x, 9.0.1.x and 9.2.x OHS in Oracle9i Application Server Releases 1.0.2.x and 9.0.2.x Platforms affected All except as noted in item #1 in the Description above. =============================================================== Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC 28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ray Stell INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
