| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY1-F163VTvKRNZSPG0003135c@hotmail.com> From: hughmann at hotmail.com (Hugh Mann) Subject: 1 year to fix a critical vuln [WAS: Heap Overflow in Oracle 9iAS .....] >Vulnerability History >--------------------- > > > DATE INFO >------------- ------------------------------------------------------ >17 April 2003 Vulnerability Discovered >22 April 2003 Contacted CERT >23 April 2003 Contacted Oracle 23 April 2003 CERT >Replied - Assign VU#643985 >12 March 2004 Oracle Security Alert #66 Rev.1 Released 2 >April 2004 Oracle Security Alert #66 Rev.2 Released with Credits > 8 April 2004 Public Advisory Released to >bugtraq@...urityfocus.com vulnwatch@...nwatch.org > full-disclosure@...ts.netsys.com What a world we live in when it takes one year for a company to fix their bug and the company reporting the vuln doesn't care it takes a year either. Waiting a year to fix a vuln is NOT security. Fix it ASAP. I know why this happened. These so called security companies, and you know who you are, are too afraid to put more pressure on the companies hiring amateur programmers. They're afraid someone will say they're helping hackers by releasing their advisories if Buggy Company Ltd. doesn't fix the bug in time so they wait and wait and wait. What the hell happened to max 30 days? Which company will be first to wait 2 years to fix a vuln? _________________________________________________________________ Tax headache? MSN Money provides relief with tax tips, tools, IRS forms and more! http://moneycentral.msn.com/tax/workshop/welcome.asp
Powered by blists - more mailing lists