ITEC Newsletter
Vol.10, No. 3
July 9, 2002

Table of Contents
1.         Kermit 95 2.0
2.         Oracle HTTP Server (Apache Web Server) Security Vulnerability  

1.         Kermit 95 2.0

Kermit 95 2.0 is released:

            *It runs in a GUI window rather than a Console window.

(A console version is available too for those who prefer it.) The GUI version of K95 includes a menu bar, tool bar, scroll bar, status bar: a selection of essential dialogs and popups. The tool bar includes Combo boxes for selection of font, font size, and character set. The K95 window can be resized by stretching, maximized, and restored. Unicode UTF-8 terminal sessions are supported in all Windows versions, allowing mixtures of Latin, Greek, Cyrillic, and other scripts to appear simultaneously on the same screen.

The primary benefit of the GUI version of K95 is freedom from the booby-trapped Microsoft console window environment with all its bugs and limitations, especially in Windows 95/98/ME: inability to choose fonts or use scroll bars, cursors disappearing, Caps Lock with a mind of its own, the "incredible shrinking window", extraneous or out-of-order characters on screen, inability to use Input Method Editors, ghost images on the screen, and on and on and on.

Other new features of K95 2.0 include:

*InstallShield installation;

*HTTP Proxy support for SSH connections;

*FTP TLS support added to Dialer, along with a sample template;

*A new font, Everson Mono Terminal, is included;

These are in addition to the new features of version 1.1.21, which was announced just 8 weeks ago:

*An integrated SSH v1/v2 <http://www.itec.suny.edu/scsys/kermit/k95sshclient.htm> client

*Integrated FTP <http://www.itec.suny.edu/scsys/kermit/k95g20/k95ftpclient.htm> and HTTP clients

*Automatic highlighting of URL hotspots

*A new Windows-based Internet Kermit Service <http://www.itec.suny.edu/scsys/kermit/k95wiksd.htm> (Windows NT, 2000, and XP only)

The Everson Mono Terminal <http://www.evertype.com/emono/> font is licensed from Everson Typography <http://www.evertype.com/> in Ireland for inclusion with Kermit 95 to give you access to scripts you would not be able to see with standard Windows monospace Unicode fonts such as Courier and Lucida Console. It includes Latin, Cyrillic, Greek, Arabic, Hebrew, Coptic, Armenian, Georgian, Runes, Ogham, Canadian Syllabics, Cherokee, Katakana, Hiragana, Tibetan, Math, Symbols, Line and Box Drawing, Dingbats, and APL. This is not a free font; it comes with Kermit 95 2.0 but may not be further redistributed.

A more complete description of version 2.0 can be found here:

http://www.itec.suny.edu/scsys/kermit/K95G20/k95gui.htm
<http://www.itec.suny.edu/scsys/kermit/k95g20/k9520gui.htm>

Kermit 95 2.0 is available as an upgrade to all earlier versions:

http://www.itec.suny.edu/scsys/kermit/K95G20/k9520upgrade.htm <http://www.itec.suny.edu/scsys/kermit/K95G20/k9520upgrade.htm>

Kermit 95 2.0 is not yet available for OS/2. We hope it will be soon, but can make no promises. If it is released for OS/2, it will be only in Console form (because GUI code is not portable) and will not include SSH (because OpenSSH libraries are not available that are compatible with the OS/2 K95 development tools).

Submitted by Kathy Pohl, scsys@itec.mail.suny.edu

2.         Oracle HTTP Server (Apache Web Server) Security Vulnerability  

I'm sure many of you have heard of the Oracle HTTP Server (Apache Web Server) security vulnerability announced at the end of last month.  For those of you who have not heard about it, the full released details follow below.  Many patches for both the database and the application server have already been made available by Oracle and ITEC is now making them available to you.  All available patches at the time of this writing are available on ITEC's ftp server:

ftp servername: ftp.itec.suny.edu
user: sunydbas
pass: {contact scadm if you don't already know this}
filename: cd to the following directory: ./can_2002_0392/Alert36 and then go to the subdirectory for your platform.

If you don't see your product or platform, keep checking back for the next week or so because we will keep adding patches as Oracle makes them available.  If you don't see it within that time frame, please open a Remedy ticket with SCADM and let us know what you are looking for.

Oracle Security Alert #36
Dated: 20 June 2002
Security Vulnerability in Apache HTTP Server Affects Oracle9iAS & Oracle Http Server (OHS)

Description
A potential security vulnerability exists in Apache HTTP Servers up to and including version 1.3.24. A knowledgeable and malicious user can exploit this vulnerability by remotely sending a carefully crafted invalid request to the Apache HTTP server using chunked encoding. Doing so may lead to successful Denial of Service (DoS) attacks on 32-bit Unix operating systems and running of arbitrary code on Windows and 64-bit Unix operating systems. 

This potential security vulnerability is described in detail in the Apache Security Advisory dated June 17, 2002 and available at http://httpd.apache.org. Additional information can be found at http://cve.mitre.org/ under "CAN-2002-0392".

Products affected
OHS 1.0.2.1s for Apps only
OHS 1.0.2.2 based on #2120450 <
OHS 1.0.2.2 Roll up 2
OHS 9.0.2
OHS for Server 8.1.7
OHS for Server 9.0.1
OHS for Server 9.2

Platforms affected
Solaris
Windows NT
HP
Linux
AIX
Tru64

Workarounds
None

Patch Information
Oracle has fixed this potential security vulnerability under base bug number 2424256. Product Development is currently working on the fix for this issue. Patches for Windows NT and Sun Solaris will become available June 24th and June 25th. Patches for all other affected platforms will become available throughout the week of June 24th, with an expected completion by July 3rd.

Immediate patches for the base bug fix number 2424256 are being made available only for supported releases of Oracle9iAS: these are Release 2 (9.0.2), Release 1.0.2.2 and Release 1.0.2.1s (for Oracle Applications).

Patches under the same base bug number (2424256) are being made available for Oracle HTTP Server Release 9.0.1 (for Oracle9i Database) and Oracle HTTP Server Release 9.2.0 (for Oracle9iR2 Database) on all supported platforms.

When released by Oracle, Oracle9iAS Release 2 (9.0.2) for Windows and future releases of Oracle9iAS will include the fix to the potential security vulnerability described above by default.

Download currently available patches for your platform from Oracle Support Services Website, Metalink, http://metalink.oracle.com. Activate the "Patches" button to get the patches Web page. Enter bug 2424256 and activate the "Submit" button.

Please check with Metalink or Oracle Support Services periodically for patch availability if the patch for your platform is not available.

Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch.

Patch Availability Matrix

*OHS 1.0.2.1s was built for Apps 11i customers for upgrade to 1.0.2.1. It is a required upgrade for this patch.

** This includes OHS 1.0.2.2 with all of the Roll up patches that have been released for 1.0.2.2. It is a superset of OHS 1.0.2.2 based on #2120450. This Rollup 2 is currently only available on NT and Solaris.

*** Release status for OHS for Server 8.1.7 will be determined by Wednesday 7/3/02.

+ You must be on at least 9iAS 1.0.2.2. Start the Oracle Installer to determine your 9iAS version.

Credits
Oracle Corporation thanks Mark Litchfield of Next Generation Security Software Limited for discovering and bringing this potential security vulnerability to Oracle's attention.

Change Record 
This alert was modified 27-June-2002 by adding the Patch Availability matrix and the products, platforms affected and the availability of patches was clarified.

This alert was modified 1-July-2002 by updating the Patch Availability matrix with new patches available.

Submitted by Todd Randall, scadm@itec.mail.suny.edu