Computerworld ran an article a month ago that talks a little more about the vulnerabilities. It gives a "bit" more information.
ComputerWorld
Printable View
Computerworld ran an article a month ago that talks a little more about the vulnerabilities. It gives a "bit" more information.
ComputerWorld
Quick bounce as I notice Oracle have updated note 281189.1 with completion dates for 9.2.0.4 on windows. Due some time this month.
Cheers.
Nick
What you guys think of the Vulnerabilities listed in the link below?
http://www.appsecinc.com/resources/...acle/2004-0001/
Would I be correct to assume that Oracle will not develop patches to fix any "Desupported" versions?
Are these all vulnerabilities?Quote:
Originally posted by rad_jen
What you guys think of the Vulnerabilities listed in the link below?
http://www.appsecinc.com/resources/...acle/2004-0001/
It states that those are only "....vulnerabilities researched and discovered by Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc.". There are plenty of other vulnerabilities discovered and reported by other sources.Quote:
Originally posted by julian
Are these all vulnerabilities?
URL?Quote:
Originally posted by jmodic
There are plenty of other vulnerabilities discovered and reported by other sources.
About the "other" vulnerabilities. These links are very general.Quote:
I'm not sure what would you realy like to have. You asked if there are any other vulnerabilities beside those reported by Appsecinc and you were told there are plenty of others. You asked for URL and Pando have provided you four other URLs on this subject. Now you object that they are "too general". What kind of details do you want? If you have followed some of those URLs you would have found out that it is a common practice among those researchers that they do not publish any datils about security vulnerabilities findings, at least not until the patches are available. The reason for that is very obvious.
David Litchfield alone has reported the finding of 34 different vulnerabilities in Oracles database software - he reported them to Oracle and provided no further details about those flaws to general public.
In one of Pando's URLS you can find the following:
Bottomline:Quote:
.... NGSSoftware are going to withhold details about these flaws for three months. Full details will be published on the 31st of November 2004. This three month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public. This reflects NGSSoftware's new approach to responsible disclosure.
Q: "Are there any other known vulnerabilities?"
A: "Yes. Yes. Yes."
Q: "Can you give more details about them?"
A: a) "GIYF"; b) "You would probably have to press on Oracle to publish some more details about them."