lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.WNT.4.58.0402051602540.500@Nanook>
From: chris at ngssoftware.com (Chris Anley)
Subject: Oracle Database 9ir2 Interval Conversion
 Functions Buffer Overflow

> Hey Chris.

Hey Cesar.

>
> First of all, your advisories are a bit wrong:
> ...Systems Affected: 	Oracle 9 prior to 9.2.0.3
>
> Actually Systems affected are Oracle 9 prior to
> 9.2.0.4 (Patchset 3).
>
> The date in Metalink site of the Patch that fixes
> these vulnerabilities is January 2 and your advisories
> are from December.
>
> I could be wrong, Oracle patches numeration, dates,
> etc. really sucks, but you could be wrong too as the
> version of Oracle your advisory said it was affected
> :).

Interesting. The information we had direct from Oracle was that
these issues were fixed in 9.2.0.3. Perhaps Oracle could resolve the
discrepancy? I'm willing to believe that either, or neither of
us is right :o)

> The fact is that i contacted Oracle before the fix was
> available, they released the fix and they didn't told
> me anything, they didn't released any public alert and
> your advisory isn't in any public list, it's only on
> your site. Finally, given that the date of the patch
> that fixes these vulns is January 2, you published the
> advisories in your site before the fix was available.
> Again i could be wrong.

As I say, we had definitive information from Oracle that the issues were
fixed in 9.2.0.3; we've heard nothing to the contrary from Oracle or
anyone else up until your post. So it would be good to get to the
bottom of this; there's definitely a communication breakdown somewhere.

> BTW: i'm curious, Why you didn't posted those
> advisories to public mailing lists?

As far as we were concerned, these were old bugs. If current versions
aren't affected, or if the bugs are of low severity, we tend not to issue
advisories to mailing lists.

     -chris.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ