lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003601c5cb91$7fc48850$1a00110a@64DOG>
Date: Fri, 7 Oct 2005 16:50:22 -0600
From: "Kurt Seifried" <bt@...fried.org>
To: "David Litchfield" <davidl@...software.com>,
	"Gadi Evron" <ge@...uxbox.org>
Cc: <bugtraq@...urityfocus.com>, <ntbugtraq@...tserv.ntbugtraq.com>
Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers


http://www.red-database-security.com/advisory/published_alerts.html

 19-jul-2005 - Advisory: Various Cross-Site-Scripting Vulnerabilities in 
Oracle Report - [Various CSS in Oracle Reports] (Not fixed after 700+ days)
19-jul-2005 - Advisory: Read parts of any XML-file on the application server 
via Oracle Report - [Read parts of any XML file via Oracle Reports](Not 
fixed after 700+days)
19-jul-2005 - Advisory: Read parts of any file on the application server via 
Oracle Report - [Read parts of any file via Oracle Reports] (Not fixed after 
700+days)
19-jul-2005 - Advisory: Overwrite any file on the application server via 
Oracle Report - [Overwrite files via Oracle Reports] (Not fixed after 700+ 
days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Report from 
any directory- [Run any OS command via Oracle Reports] (Not fixed after 700+ 
days)
19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Forms from 
any directory- [Run any OS command via Oracle Forms] (Not fixed after 700+ 
days)

Plus the last few crops of items that Oracle addressed containing items not 
fixed for almost 2 years, plus the fact that their security patches often 
fail to apply properly, plus the fact that their security patches now appear 
to sometimes not address the problem properly if at all, plus the fact that 
Oracle touts security, ran a nice big unbreakable campaign, etc, etc.

There's a ton of anecdotal evidence. There's a ton of security advisories 
with notification to release times measured in years (this actually seems to 
be quite normal). What more do you need? I look at open source vendors and 
projects, they have become amazingly responsive (major Linux kernel issues 
addressed in <1 month as a rule, often in days or a week), and even the 
closed sourced vendors that formerly were problematic have gotten better in 
general (Microsoft is a good example of improvement, pity they have to 
maintain scuh complete backwards compatibility though or I suspect we'd see 
much more improvement).

In the last 7 or so years I haven't seen much in the way of improvement from 
Oracle, security-wise.

-Kurt Seifried
http://seifried.org/freescan2/





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ