A potential security vulnerability has been discovered in the TO_TIMESTAMP_TZ function of Oracle9i Database. A knowledgeable and malicious user can exploit a buffer overflow in this function.
This potential security vulnerability is fixed in the last patchset level for each database release on all platforms. It will be available in the Oracle9i Database Release 2 v 188.8.131.52 patchset. It is available on Oracle9i Database Release 2 v 184.108.40.206, Oracle9i Database Release 1 v 220.127.116.11, on Oracle8i Database v 18.104.22.168, on Oracle8i Database v 22.214.171.124 and on Oracle8i Database v 126.96.36.199. It is available for Oracle8 Database v 8.0.6 on demand.
Download currently available patches from Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com).
Alert #50, Rev 2, Updated 14 February 2003
Patches are available on Metalink.
The article continues at http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf