Critical
Patch Update for oracle listed a vulnerability in the TNS Listener services as
one of the patched vulnerabilities. It turns out that current versions of
Oracle are not patched. Instead, the vulnerability will apparently only be
fixed in future versions of the Oracle database. According to a statement from
Oracle quoted by the discoverer of the vulnerability, the fix would have
possible had stability issues for current versions of Oracle.
The
vulnerability was responsibly reported to Oracle back in 2008. Upon release of
the April CPU, Joxean Koret, who originally found the vulnerability, came
forward with additional details including a proof of concept exploit, fully
expecting that a patch is now available.
Reference:
http://isc.sans.edu/diary.html?storyid=13069