Full Disclosure mailing list archives
1 year to fix a critical vuln [WAS: Heap Overflow in Oracle 9iAS .....]
From: "Hugh Mann" <hughmann () hotmail com>
Date: Thu, 08 Apr 2004 16:18:12 +0000
Vulnerability History --------------------- DATE INFO ------------- ------------------------------------------------------ 17 April 2003 Vulnerability Discovered 22 April 2003 Contacted CERT23 April 2003 Contacted Oracle 23 April 2003 CERT Replied - Assign VU#643985 12 March 2004 Oracle Security Alert #66 Rev.1 Released 2 April 2004 Oracle Security Alert #66 Rev.2 Released with Credits 8 April 2004 Public Advisory Released to bugtraq () securityfocus com vulnwatch () vulnwatch orgfull-disclosure () lists netsys com
What a world we live in when it takes one year for a company to fix their bug and the company reporting the vuln doesn't care it takes a year either. Waiting a year to fix a vuln is NOT security. Fix it ASAP.
I know why this happened. These so called security companies, and you know who you are, are too afraid to put more pressure on the companies hiring amateur programmers. They're afraid someone will say they're helping hackers by releasing their advisories if Buggy Company Ltd. doesn't fix the bug in time so they wait and wait and wait. What the hell happened to max 30 days? Which company will be first to wait 2 years to fix a vuln?
_________________________________________________________________Tax headache? MSN Money provides relief with tax tips, tools, IRS forms and more! http://moneycentral.msn.com/tax/workshop/welcome.asp
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- 1 year to fix a critical vuln [WAS: Heap Overflow in Oracle 9iAS .....] Hugh Mann (Apr 08)
- Re: 1 year to fix a critical vuln [WAS: Heap Overflow in Oracle 9iAS .....] Valdis . Kletnieks (Apr 08)