=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN533
_____________________________________________________________________

DATE                      : 20/12/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows running Ingres v2.6, Ingres v2.5.

======================================================================
http://www.ingres.com/support/security-alertDec17.php
______________________________________________________________________

Ingres Security Alert/NGSS/iDefense

COMMUNICATION CONTENT

December 17, 2007

Dear Valued Ingres Customer:

Information security is of utmost priority to Ingres. A vulnerability
has recently been identified in Ingres 2.6 and Ingres 2.5 for Windows
Only. The vulnerability does not occur in Ingres r3 or any release of
Ingres  2006 however an error message could be generated. We have given
this vulnerability a security threat level of High, and recommend that
the available security patches be applied immediately.

Fixes are available for the Windows platform for all releases of Ingres
2006, Ingres r3, Ingres 2.6 and Ingres 2.5 and can be quickly applied
with little to no anticipated impact to systems.

Ingres customers with a current support contract can review the
following knowledge base document for information on downloading the
available fixes: http://servicedesk.ingres.com/CAisd/pdmweb.ingres?
OP=SHOW_DETAIL+PERSID=KD:415703+HTMPL=kt_document_view.htmpl.

E_GC1008 Unable to authenticate client's user ID error – bug 118431
Description: Beginning with Ingres r3 and including Ingres 2006, users
different from the first connected user were getting an "E_GC1008 Unable
to authenticate client's user ID" error if running their application
under Microsoft Windows IIS with Integrated Windows Authentication
(IWA), thus preventing them from connecting to Ingres.

Users connecting after the first user were connecting to Ingres as the
first user – Bug 116825
Description: In earlier releases of Ingres 2.6 and 2.5 users do not
experience the above error, but Windows had a more serious (unreported)
problem; namely, users connecting after the first user were connecting
to Ingres as the first user, not as themselves. For more information
about Ingres security alerts and to register to proactively receive
these alerts via email please visit: http://ingres.com/support/security.php.

Regards,

Bill MaimonePamela Fowler
Senior Vice President, EngineeringVP of WW Support
Ingres Corporation Ingres Corporation

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================