[Previous entry: "whilst on the subject of orablogs - version 2 is in the wings"] [Next entry: "A new sample installation session for Oracle Password Repository (OPR) version 1.1.8"]
Oracle Password Repository (OPR) is updated to version 1.1.8
July 2nd, 2005 by Pete
Post to del.icio.us
Post to Furl
I got an email a couple of days ago from Jan-Marten Spit and Jasper Spit to let me know the details of why they pulled version 1.1.7 of OPR from sourceforge and worked to fix a security hole. The new version 1.1.8 fixes the problem that was highlighted in the post I made about installing 1.1.7 made by Mike Thomas. I won't go into great detail but basically with 1.1.7 it was possible for a user in certain circumstances to create a malicious version of the Oracle client library and using that take control of the account that owned and was running OPR. Version 1.1.8 now checks the location of the ORACLE_HOME and loads the library based from this. It gets the location from the oratab file so OPR is now a little less environment tolerant (but safer). Also OPR now only loads up the Oracle libs if the user running it is the repository owner. Version 1.1.8 also solves the issue with LD_ environment variables for dynamic library loading.
If you use OPR then please get over to the OPR home page sourceforge and download it. If you do not use OPR then you could also get over there and consider its use for managing your Oracle passwords to help prevent password leakage on the command line.
