Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

[Cesar <cesarc56 () yahoo com>]

Don't worry, Oracle sucks, probably they won't say
anything.

Just to clarify(oh my god, i feel sorry about Oracle
users, it's a pain in the ass to find the correct
patches, to install them, etc.) the patch that fix
these vulnerabilities is Patch 3 from January 2 it
goes on top of Patchset 3 (9.2.0.4). If you (all
people) don't understand don't worry i also don't
understand much this Oracle patch stuff:), but if you
are paying to get the patches and support then it
should be easy, shouldn't be? 

Cesar.
--- Chris Anley <chris () ngssoftware com> wrote:
> > Hey Chris.
>
> Hey Cesar.
>
> > First of all, your advisories are a bit wrong:
> > ...Systems Affected:        Oracle 9 prior to 9.2.0.3
> >
> > Actually Systems affected are Oracle 9 prior to
> > 9.2.0.4 (Patchset 3).
> >
> > The date in Metalink site of the Patch that fixes
> > these vulnerabilities is January 2 and your
> advisories
> > are from December.
> >
> > I could be wrong, Oracle patches numeration,
> dates,
> > etc. really sucks, but you could be wrong too as
> the
> > version of Oracle your advisory said it was
> affected
> > :).
>
> Interesting. The information we had direct from
> Oracle was that
> these issues were fixed in 9.2.0.3. Perhaps Oracle
> could resolve the
> discrepancy? I'm willing to believe that either, or
> neither of
> us is right :o)
>
> > The fact is that i contacted Oracle before the fix
> was
> > available, they released the fix and they didn't
> told
> > me anything, they didn't released any public alert
> and
> > your advisory isn't in any public list, it's only
> on
> > your site. Finally, given that the date of the
> patch
> > that fixes these vulns is January 2, you published
> the
> > advisories in your site before the fix was
> available.
> > Again i could be wrong.
>
> As I say, we had definitive information from Oracle
> that the issues were
> fixed in 9.2.0.3; we've heard nothing to the
> contrary from Oracle or
> anyone else up until your post. So it would be good
> to get to the
> bottom of this; there's definitely a communication
> breakdown somewhere.
>
> > BTW: i'm curious, Why you didn't posted those
> > advisories to public mailing lists?
>
> As far as we were concerned, these were old bugs. If
> current versions
> aren't affected, or if the bugs are of low severity,
> we tend not to issue
> advisories to mailing lists.
>
>      -chris.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html