Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Version question: Possible security vulnerability in Open Server 15.5 and earlier

7 posts in General Discussion Last posting was on 2011-07-29 21:40:53.0Z
Paul Fenstermacher Posted on 2011-07-29 19:07:37.0Z
Sender: 4f15.4e3302bf.1804289383@sybase.com
From: Paul Fenstermacher
Newsgroups: sybase.public.ase.general
Subject: Version question: Possible security vulnerability in Open Server 15.5 and earlier
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4e3304f9.509b.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 29 Jul 2011 12:07:37 -0700
X-Trace: forums-1-dub 1311966457 10.22.241.41 (29 Jul 2011 12:07:37 -0700)
X-Original-Trace: 29 Jul 2011 12:07:37 -0700, 10.22.241.41
Lines: 23
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30419
Article PK: 72598

Received notice of "Possible security vulnerability in Open
Server 15.5 and earlier":
http://www.sybase.com/detail?id=1094235

We support several customers running different Sybase
versions and I am trying to figure out which customers are
affected so I can take appropriate steps. The customers run
both ASE and Open Server.

None of them run ASE/Open Server 15.5.

The "Affected Platforms" lists ASE 15.0.3 ESD #4.

We have some systems running ASE 15.0.3 ESD #3. Is that
version affected (or possibly affected) by this
vulnerability?

We also have systems running Sybase 15.0.2. Is that version
affected (or possibly affected) by this vulnerability?

Finally, we have some customers running 12.5.x versions
ranging from 12.5.0.3 through 12.5.3. Are any 12.5.x
versions affected by this vulnerability?


Jason L. Froebe [TeamSybase] Posted on 2011-07-29 19:47:19.0Z
From: "Jason L. Froebe [TeamSybase]" <jason.froebe@gmail.com>
Organization: TeamSybase
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: Version question: Possible security vulnerability in Open Server 15.5 and earlier
References: <4e3304f9.509b.1681692777@sybase.com>
In-Reply-To: <4e3304f9.509b.1681692777@sybase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4e330e47$1@forums-1-dub>
Date: 29 Jul 2011 12:47:19 -0700
X-Trace: forums-1-dub 1311968839 10.22.241.152 (29 Jul 2011 12:47:19 -0700)
X-Original-Trace: 29 Jul 2011 12:47:19 -0700, vip152.sybase.com
Lines: 32
X-Authenticated-User: TeamSybase
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30420
Article PK: 72599


On 7/29/2011 2:07 PM, Paul Fenstermacher wrote:
> Received notice of "Possible security vulnerability in Open
> Server 15.5 and earlier":
> http://www.sybase.com/detail?id=1094235
>
> We support several customers running different Sybase
> versions and I am trying to figure out which customers are
> affected so I can take appropriate steps. The customers run
> both ASE and Open Server.
>
> None of them run ASE/Open Server 15.5.
>
> The "Affected Platforms" lists ASE 15.0.3 ESD #4.
>
> We have some systems running ASE 15.0.3 ESD #3. Is that
> version affected (or possibly affected) by this
> vulnerability?
>
> We also have systems running Sybase 15.0.2. Is that version
> affected (or possibly affected) by this vulnerability?
>
> Finally, we have some customers running 12.5.x versions
> ranging from 12.5.0.3 through 12.5.3. Are any 12.5.x
> versions affected by this vulnerability?

I think the key words are "Possible security vulnerability in Open
Server 15.5 and earlier". ;-) For 15.0+ and 15.5+, expect patches
soon. For 12.x and earlier, upgrade.

jason


Paul Fenstermacher. Posted on 2011-07-29 20:31:06.0Z
Sender: 4f15.4e3302bf.1804289383@sybase.com
From: Paul Fenstermacher.
Newsgroups: sybase.public.ase.general
Subject: Re: Version question: Possible security vulnerability in Open Server 15.5 and earlier
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4e33188a.5c67.1681692777@sybase.com>
References: <4e330e47$1@forums-1-dub>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 29 Jul 2011 13:31:06 -0700
X-Trace: forums-1-dub 1311971466 10.22.241.41 (29 Jul 2011 13:31:06 -0700)
X-Original-Trace: 29 Jul 2011 13:31:06 -0700, 10.22.241.41
Lines: 60
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30422
Article PK: 72602


> On 7/29/2011 2:07 PM, Paul Fenstermacher wrote:
> > Received notice of "Possible security vulnerability in
> > Open Server 15.5 and earlier":
> > http://www.sybase.com/detail?id=1094235
> >
> > We support several customers running different Sybase
> > versions and I am trying to figure out which customers
> > are affected so I can take appropriate steps. The
> > customers run both ASE and Open Server.
> >
> > None of them run ASE/Open Server 15.5.
> >
> > The "Affected Platforms" lists ASE 15.0.3 ESD #4.
> >
> > We have some systems running ASE 15.0.3 ESD #3. Is that
> > version affected (or possibly affected) by this
> > vulnerability?
> >
> > We also have systems running Sybase 15.0.2. Is that
> > version affected (or possibly affected) by this
> vulnerability? >
> > Finally, we have some customers running 12.5.x versions
> > ranging from 12.5.0.3 through 12.5.3. Are any 12.5.x
> > versions affected by this vulnerability?
>
>
> I think the key words are "Possible security vulnerability
> in Open Server 15.5 and earlier". ;-) For 15.0+ and
> 15.5+, expect patches soon. For 12.x and earlier,
> upgrade.
>
> jason
>

Jason:

I appreciate the quick response. Yes, I agree about 12.x.

As a side note, all the customers are on Sun Solaris SPARC
32-bit (I know about ASE end of life on Solaris SPARC 32
bit, so have to address that too, but that's another topic.

Back to the vulnerability... I see EBF 18847 is released to
address it for ASE 15.0.3 ESD #4 on Sun Solaris SPARC 32
bit.

So just interested in whether vulnerability is present and
EBFs will be released for earlier versions such as ASE
15.0.3 ESD #3, 15.0.2 etc., or if the only option for those
versions is upgrade to ASE 15.0.3 ESD #4 and apply EBF
18847.

I realize it might be a bit early for specifics/a definitive
answer, so if no more info available at this time, that's
OK. Sybase ASE is such a reliable DBMS so reliable that I
essentially never have to patch it (unlike the ever-buggy
Oracle, which I constantly patch), which is a great thing,
it just means I get rusty on patch policies etc.

Thank you again.


Paul Fenstermacher Posted on 2011-07-29 20:49:50.0Z
Sender: 4f15.4e3302bf.1804289383@sybase.com
From: Paul Fenstermacher
Newsgroups: sybase.public.ase.general
Subject: Thank you, my questions are answered.
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4e331cee.5fd4.1681692777@sybase.com>
References: <4e33188a.5c67.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 29 Jul 2011 13:49:50 -0700
X-Trace: forums-1-dub 1311972590 10.22.241.41 (29 Jul 2011 13:49:50 -0700)
X-Original-Trace: 29 Jul 2011 13:49:50 -0700, 10.22.241.41
Lines: 4
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30424
Article PK: 72606

Jason, Rob, thank you both for your quick responses.

Much appreciated,
Paul Fenstermacher


Rob V [ Sybase ] Posted on 2011-07-29 20:22:18.0Z
From: "Rob V [ Sybase ]" <rob@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY>
Reply-To: rob@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY
Organization: Sypron BV / TeamSybase / Sybase
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: Version question: Possible security vulnerability in Open Server 15.5 and earlier
References: <4e3304f9.509b.1681692777@sybase.com>
In-Reply-To: <4e3304f9.509b.1681692777@sybase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4e33167a@forums-1-dub>
Date: 29 Jul 2011 13:22:18 -0700
X-Trace: forums-1-dub 1311970938 10.22.241.152 (29 Jul 2011 13:22:18 -0700)
X-Original-Trace: 29 Jul 2011 13:22:18 -0700, vip152.sybase.com
Lines: 52
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30421
Article PK: 72600


On 29-Jul-2011 21:07, Paul Fenstermacher wrote:
> Received notice of "Possible security vulnerability in Open
> Server 15.5 and earlier":
> http://www.sybase.com/detail?id=1094235
>
> We support several customers running different Sybase
> versions and I am trying to figure out which customers are
> affected so I can take appropriate steps. The customers run
> both ASE and Open Server.
>
> None of them run ASE/Open Server 15.5.
>
> The "Affected Platforms" lists ASE 15.0.3 ESD #4.
>
> We have some systems running ASE 15.0.3 ESD #3. Is that
> version affected (or possibly affected) by this
> vulnerability?
>
> We also have systems running Sybase 15.0.2. Is that version
> affected (or possibly affected) by this vulnerability?
>
> Finally, we have some customers running 12.5.x versions
> ranging from 12.5.0.3 through 12.5.3. Are any 12.5.x
> versions affected by this vulnerability?

Note that ASE itself is not affected.

A clarification was just added to the description of the issue at
http://www.sybase.com/detail?id=1094235:
"NOTE : Within the ASE Bundle, only the supplemental servers are
affected. That is Backup Server, Monitor Server, Historical Server, XP
Server, and Job Scheduler. The ASE Server itself is not affected by this
issue."

HTH,

Rob V.
-----------------------------------------------------------------
Rob Verschoor

Certified Sybase Professional DBA for ASE 15.0/12.5/12.0/11.5/11.0
and Replication Server 15.0.1/12.5 // TeamSybase

Author of Sybase books (order online at www.sypron.nl/shop):
"Tips, Tricks& Recipes for Sybase ASE" (ASE 15 edition)
"The Complete Sybase ASE Quick Reference Guide"
"The Complete Sybase Replication Server Quick Reference Guide"

rob@NO.SPAM.sypron.nl | www.sypron.nl | Twitter: @rob_verschoor
Sypron B.V., The Netherlands | Chamber of Commerce 27138666
-----------------------------------------------------------------


Paul Fenstermacher Posted on 2011-07-29 20:37:28.0Z
Sender: 4f15.4e3302bf.1804289383@sybase.com
From: Paul Fenstermacher
Newsgroups: sybase.public.ase.general
Subject: Re: Version question: Possible security vulnerability in Open Server 15.5 and earlier
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4e331a08.5d8e.1681692777@sybase.com>
References: <4e33167a@forums-1-dub>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 29 Jul 2011 13:37:28 -0700
X-Trace: forums-1-dub 1311971848 10.22.241.41 (29 Jul 2011 13:37:28 -0700)
X-Original-Trace: 29 Jul 2011 13:37:28 -0700, 10.22.241.41
Lines: 74
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30423
Article PK: 72601


> On 29-Jul-2011 21:07, Paul Fenstermacher wrote:
> > Received notice of "Possible security vulnerability in
> > Open Server 15.5 and earlier":
> > http://www.sybase.com/detail?id=1094235
> >
> > We support several customers running different Sybase
> > versions and I am trying to figure out which customers
> > are affected so I can take appropriate steps. The
> > customers run both ASE and Open Server.
> >
> > None of them run ASE/Open Server 15.5.
> >
> > The "Affected Platforms" lists ASE 15.0.3 ESD #4.
> >
> > We have some systems running ASE 15.0.3 ESD #3. Is that
> > version affected (or possibly affected) by this
> > vulnerability?
> >
> > We also have systems running Sybase 15.0.2. Is that
> > version affected (or possibly affected) by this
> vulnerability? >
> > Finally, we have some customers running 12.5.x versions
> > ranging from 12.5.0.3 through 12.5.3. Are any 12.5.x
> > versions affected by this vulnerability?
>
> Note that ASE itself is not affected.
>
> A clarification was just added to the description of the
> issue at http://www.sybase.com/detail?id=1094235:
> "NOTE : Within the ASE Bundle, only the supplemental
> servers are affected. That is Backup Server, Monitor
> Server, Historical Server, XP Server, and Job Scheduler.
> The ASE Server itself is not affected by this issue."
>
> HTH,
>
> Rob V.
> ----------------------------------------------------------
> ------- Rob Verschoor
>
> Certified Sybase Professional DBA for ASE
> 15.0/12.5/12.0/11.5/11.0 and Replication Server
> 15.0.1/12.5 // TeamSybase
>
> Author of Sybase books (order online at
> www.sypron.nl/shop): "Tips, Tricks& Recipes for Sybase
> ASE" (ASE 15 edition) "The Complete Sybase ASE Quick
> Reference Guide" "The Complete Sybase Replication Server
> Quick Reference Guide"
>
> rob@NO.SPAM.sypron.nl | www.sypron.nl | Twitter:
> @rob_verschoor Sypron B.V., The Netherlands | Chamber of
> Commerce 27138666
> ----------------------------------------------------------
> -------
>

Rob:

Thank you, that fact is a big help.

We do have an Open Server application, and of course we run
backup server for our dataserver. But none of the other
listed servers (which I'd guess are written using Open
Server).

So dataserver not affected is a good thing.

Also - thank you so much for writing and updating the purple
book. I have the 3rd and 4th editions on my desk, carry them
with me everywhere, and refer to them nearly every day.

Appreciate it,
Paul


Rob V [ Sybase ] Posted on 2011-07-29 21:40:53.0Z
From: "Rob V [ Sybase ]" <rob@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY>
Reply-To: rob@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY
Organization: Sypron BV / TeamSybase / Sybase
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: Version question: Possible security vulnerability in Open Server 15.5 and earlier
References: <4e33167a@forums-1-dub> <4e331a08.5d8e.1681692777@sybase.com>
In-Reply-To: <4e331a08.5d8e.1681692777@sybase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4e3328e5$1@forums-1-dub>
Date: 29 Jul 2011 14:40:53 -0700
X-Trace: forums-1-dub 1311975653 10.22.241.152 (29 Jul 2011 14:40:53 -0700)
X-Original-Trace: 29 Jul 2011 14:40:53 -0700, vip152.sybase.com
Lines: 77
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30425
Article PK: 72603


On 29-Jul-2011 22:37, Paul Fenstermacher wrote:
>> On 29-Jul-2011 21:07, Paul Fenstermacher wrote:
>>> Received notice of "Possible security vulnerability in
>>> Open Server 15.5 and earlier":
>>> http://www.sybase.com/detail?id=1094235
>>>
>>> We support several customers running different Sybase
>>> versions and I am trying to figure out which customers
>>> are affected so I can take appropriate steps. The
>>> customers run both ASE and Open Server.
>>>
>>> None of them run ASE/Open Server 15.5.
>>>
>>> The "Affected Platforms" lists ASE 15.0.3 ESD #4.
>>>
>>> We have some systems running ASE 15.0.3 ESD #3. Is that
>>> version affected (or possibly affected) by this
>>> vulnerability?
>>>
>>> We also have systems running Sybase 15.0.2. Is that
>>> version affected (or possibly affected) by this
>> vulnerability?>
>>> Finally, we have some customers running 12.5.x versions
>>> ranging from 12.5.0.3 through 12.5.3. Are any 12.5.x
>>> versions affected by this vulnerability?
>> Note that ASE itself is not affected.
>>
>> A clarification was just added to the description of the
>> issue at http://www.sybase.com/detail?id=1094235:
>> "NOTE : Within the ASE Bundle, only the supplemental
>> servers are affected. That is Backup Server, Monitor
>> Server, Historical Server, XP Server, and Job Scheduler.
>> The ASE Server itself is not affected by this issue."
>>
>> HTH,
>>
>> Rob V.
>> ----------------------------------------------------------
>> ------- Rob Verschoor
>>
>> Certified Sybase Professional DBA for ASE
>> 15.0/12.5/12.0/11.5/11.0 and Replication Server
>> 15.0.1/12.5 // TeamSybase
>>
>> Author of Sybase books (order online at
>> www.sypron.nl/shop): "Tips, Tricks& Recipes for Sybase
>> ASE" (ASE 15 edition) "The Complete Sybase ASE Quick
>> Reference Guide" "The Complete Sybase Replication Server
>> Quick Reference Guide"
>>
>> rob@NO.SPAM.sypron.nl | www.sypron.nl | Twitter:
>> @rob_verschoor Sypron B.V., The Netherlands | Chamber of
>> Commerce 27138666
>> ----------------------------------------------------------
>> -------
>>
> Rob:
>
> Thank you, that fact is a big help.
>
> We do have an Open Server application, and of course we run
> backup server for our dataserver. But none of the other
> listed servers (which I'd guess are written using Open
> Server).
>
> So dataserver not affected is a good thing.
>
> Also - thank you so much for writing and updating the purple
> book. I have the 3rd and 4th editions on my desk, carry them
> with me everywhere, and refer to them nearly every day.
>
> Appreciate it,
> Paul

You're welcome ;-)

Rob V.