lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040206022641.35535.qmail@web40007.mail.yahoo.com>
From: cesarc56 at yahoo.com (Cesar)
Subject: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

I forgot, i'm serious the +60 issues are true and are
not fixed yet. So if you are running Oracle database
then be careful, and remember to start complaining to
Oracle!!!.

Cesar.
--- Cesar <cesarc56@...oo.com> wrote:
> Don't worry, Oracle sucks, probably they won't say
> anything.
> 
> Just to clarify(oh my god, i feel sorry about Oracle
> users, it's a pain in the ass to find the correct
> patches, to install them, etc.) the patch that fix
> these vulnerabilities is Patch 3 from January 2 it
> goes on top of Patchset 3 (9.2.0.4). If you (all
> people) don't understand don't worry i also don't
> understand much this Oracle patch stuff:), but if
> you
> are paying to get the patches and support then it
> should be easy, shouldn't be? 
> 
> Cesar.
> --- Chris Anley <chris@...software.com> wrote:
> > > Hey Chris.
> > 
> > Hey Cesar.
> > 
> > >
> > > First of all, your advisories are a bit wrong:
> > > ...Systems Affected: 	Oracle 9 prior to 9.2.0.3
> > >
> > > Actually Systems affected are Oracle 9 prior to
> > > 9.2.0.4 (Patchset 3).
> > >
> > > The date in Metalink site of the Patch that
> fixes
> > > these vulnerabilities is January 2 and your
> > advisories
> > > are from December.
> > >
> > > I could be wrong, Oracle patches numeration,
> > dates,
> > > etc. really sucks, but you could be wrong too as
> > the
> > > version of Oracle your advisory said it was
> > affected
> > > :).
> > 
> > Interesting. The information we had direct from
> > Oracle was that
> > these issues were fixed in 9.2.0.3. Perhaps Oracle
> > could resolve the
> > discrepancy? I'm willing to believe that either,
> or
> > neither of
> > us is right :o)
> > 
> > > The fact is that i contacted Oracle before the
> fix
> > was
> > > available, they released the fix and they didn't
> > told
> > > me anything, they didn't released any public
> alert
> > and
> > > your advisory isn't in any public list, it's
> only
> > on
> > > your site. Finally, given that the date of the
> > patch
> > > that fixes these vulns is January 2, you
> published
> > the
> > > advisories in your site before the fix was
> > available.
> > > Again i could be wrong.
> > 
> > As I say, we had definitive information from
> Oracle
> > that the issues were
> > fixed in 9.2.0.3; we've heard nothing to the
> > contrary from Oracle or
> > anyone else up until your post. So it would be
> good
> > to get to the
> > bottom of this; there's definitely a communication
> > breakdown somewhere.
> > 
> > > BTW: i'm curious, Why you didn't posted those
> > > advisories to public mailing lists?
> > 
> > As far as we were concerned, these were old bugs.
> If
> > current versions
> > aren't affected, or if the bugs are of low
> severity,
> > we tend not to issue
> > advisories to mailing lists.
> > 
> >      -chris.
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing
> online.
> http://taxes.yahoo.com/filing.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ