Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

[Chris Anley <chris () ngssoftware com>]

> Hey Chris.

Hey Cesar.

> First of all, your advisories are a bit wrong:
> ...Systems Affected:  Oracle 9 prior to 9.2.0.3
>
> Actually Systems affected are Oracle 9 prior to
> 9.2.0.4 (Patchset 3).
>
> The date in Metalink site of the Patch that fixes
> these vulnerabilities is January 2 and your advisories
> are from December.
>
> I could be wrong, Oracle patches numeration, dates,
> etc. really sucks, but you could be wrong too as the
> version of Oracle your advisory said it was affected
> :).

Interesting. The information we had direct from Oracle was that
these issues were fixed in 9.2.0.3. Perhaps Oracle could resolve the
discrepancy? I'm willing to believe that either, or neither of
us is right :o)

> The fact is that i contacted Oracle before the fix was
> available, they released the fix and they didn't told
> me anything, they didn't released any public alert and
> your advisory isn't in any public list, it's only on
> your site. Finally, given that the date of the patch
> that fixes these vulns is January 2, you published the
> advisories in your site before the fix was available.
> Again i could be wrong.

As I say, we had definitive information from Oracle that the issues were
fixed in 9.2.0.3; we've heard nothing to the contrary from Oracle or
anyone else up until your post. So it would be good to get to the
bottom of this; there's definitely a communication breakdown somewhere.

> BTW: i'm curious, Why you didn't posted those
> advisories to public mailing lists?

As far as we were concerned, these were old bugs. If current versions
aren't affected, or if the bugs are of low severity, we tend not to issue
advisories to mailing lists.

     -chris.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html