Oracle releases security patch fixes; MySQL flaw surfaces

TechWorld.com - Oracle has released two sets of database patches to correct flaws in previously released security patches. One of the affected patches is itself a fix to an earlier set of patches.

Separately, a serious security flaw has surfaced in MySQL, the popular open-source database management system, potentially allowing remote attackers to take over a system.

Oracle said last week that it has identified problems with two of its security updates. The first relates to a Critical Patch Update in April, which fixed 70 security flaws in Oracle databases and application servers. Earlier this month, Oracle confirmed that the April Critical Patch Update was flawed -- a step was missing from the installation script. Last week, Oracle confirmed in an e-mail to customers that the July fix for the April update didn't work properly either.

Oracle also issued another quarterly Critical Patch Update in July; this update fixes the problems with the April update. However, the July update has problems of its own, causing problems with Oracle Database 10.1.0.3 and 10.1.0.4 and Oracle Enterprise Manager, Oracle said in a customer e-mail last week.

Customers running the affected versions of the database with Enterprise Manager should download an updated version, according to the company.

Oracle has come under criticism for its patching system in recent months. Most recently a German security firm released details of several high-risk Oracle flaws, along with work-arounds, claiming to have seen no action from Oracle two years after reporting the bugs (see Security firm details six unpatched Oracle flaws). The firm said the delay was more evidence that Oracle's patching system is in disarray.

Meanwhile, MySQL is vulnerable to a flaw involving the zlib compression library, according to an advisory from the database maker. MySQL contains a version of zlib that is vulnerable to a buffer overflow that could be exploited via a specially crafted compressed stream embedded in network communications or an application file format, according to researchers.

MySQL released an update, version 4.1.13, that fixes the problem, along with some less serious problems that could allow attackers to crash the server in various ways.