| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cesarc56 at yahoo.com (Cesar) Subject: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow I forgot, i'm serious the +60 issues are true and are not fixed yet. So if you are running Oracle database then be careful, and remember to start complaining to Oracle!!!. Cesar. --- Cesar <cesarc56@...oo.com> wrote: > Don't worry, Oracle sucks, probably they won't say > anything. > > Just to clarify(oh my god, i feel sorry about Oracle > users, it's a pain in the ass to find the correct > patches, to install them, etc.) the patch that fix > these vulnerabilities is Patch 3 from January 2 it > goes on top of Patchset 3 (9.2.0.4). If you (all > people) don't understand don't worry i also don't > understand much this Oracle patch stuff:), but if > you > are paying to get the patches and support then it > should be easy, shouldn't be? > > Cesar. > --- Chris Anley <chris@...software.com> wrote: > > > Hey Chris. > > > > Hey Cesar. > > > > > > > > First of all, your advisories are a bit wrong: > > > ...Systems Affected: Oracle 9 prior to 9.2.0.3 > > > > > > Actually Systems affected are Oracle 9 prior to > > > 9.2.0.4 (Patchset 3). > > > > > > The date in Metalink site of the Patch that > fixes > > > these vulnerabilities is January 2 and your > > advisories > > > are from December. > > > > > > I could be wrong, Oracle patches numeration, > > dates, > > > etc. really sucks, but you could be wrong too as > > the > > > version of Oracle your advisory said it was > > affected > > > :). > > > > Interesting. The information we had direct from > > Oracle was that > > these issues were fixed in 9.2.0.3. Perhaps Oracle > > could resolve the > > discrepancy? I'm willing to believe that either, > or > > neither of > > us is right :o) > > > > > The fact is that i contacted Oracle before the > fix > > was > > > available, they released the fix and they didn't > > told > > > me anything, they didn't released any public > alert > > and > > > your advisory isn't in any public list, it's > only > > on > > > your site. Finally, given that the date of the > > patch > > > that fixes these vulns is January 2, you > published > > the > > > advisories in your site before the fix was > > available. > > > Again i could be wrong. > > > > As I say, we had definitive information from > Oracle > > that the issues were > > fixed in 9.2.0.3; we've heard nothing to the > > contrary from Oracle or > > anyone else up until your post. So it would be > good > > to get to the > > bottom of this; there's definitely a communication > > breakdown somewhere. > > > > > BTW: i'm curious, Why you didn't posted those > > > advisories to public mailing lists? > > > > As far as we were concerned, these were old bugs. > If > > current versions > > aren't affected, or if the bugs are of low > severity, > > we tend not to issue > > advisories to mailing lists. > > > > -chris. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.netsys.com/full-disclosure-charter.html > > > __________________________________ > Do you Yahoo!? > Yahoo! Finance: Get your refund fast by filing > online. > http://taxes.yahoo.com/filing.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html
Powered by blists - more mailing lists