| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> resend - how can I best quantify my level of disgust? (oracle alert #68)
Mladen,
Respected professionals do not publish exploit code prior to the patches being widely deployed.
This was not the forum in which to post such code. This was not the time to post such code.
I am not defending Oracle dragging their feet on releasing the patches, or in not identifying a gaping hole in a new feature. I am not criticizing your abilities to write code, use perl or use wit.
I am angered due to you making this issue (alert #68) now larger for me.
I have been busy attempting to test these patchsets for 3 releases on
2 platforms.
I want to make sure that I don't cripple a client site with a patchset
that wasn't at least moderately tested.
Did you read the article where David Litchfield was interviewed? He does not publicly disclose exploit code until after the fixes have been available long enough for people to apply them. He had to change his presentations due to Oracle not releasing patchsets sooner. That is responsible, professional behavior, and it helps him to avoid litigation. He is a white hat.
Pete and Jonathan also did not reveal exploits (up to this point, that I know of).
You now make me wish that this list was moderated.
Please don't post the exploit code on comp.databases.oracle.server either. Not everyone would have been able to deduce the exploit code from what is known. You have effectively brought the exploit into the script kiddie realm.
Fortunately, your exploit code only affects 10.1.0.2, and not the
other releases.
If you come up with exploits for the other versions, please don't post
it here or in other public forums. Share it with Pete, Jonathan, David
Litchfield - but I would personally prefer that you share it with Mary
Ann Davidson or whomever else handles such issues for Oracle - through
the channels. Metalink, OTN, etc.
Steve, if I am overstepping my bounds, treat me appropriately, but this was not professional behavior as stated in the email that I received today when I changed accounts. Its not my place to moderate either - but Mladen really messed up this time - IMHO.
And it affected me.
Paul
Paul Drake
bdbafh_at_gmail.com
Re[2]: PeteFinnigan.com Oracle advisory for bugs in dbms_scheduler ( alert #68)
Well, the whole world knows now...
Best regards,
Jonathan Gennick --- Brighten the corner where you are http://Gennick.com * 906.387.1698 * mailto:jonathan@xxxxxxxxxxx
Join the Oracle-article list and receive one article on Oracle technologies per month by email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article, or send email to Oracle-article-request_at_xxxxxxxxxxx and include the word "subscribe" in either the subject or body.
Thursday, September 2, 2004, 12:00:41 PM, Gogala, Mladen (Mladen.Gogala_at_xxxxxxxx) wrote:
GM> What annoys me the most is that the bug is so trivial GM> that it should have been discovered during the beta test. GM> You and Pete didn't specify how exactly is it possible, probably GM> out of the goodness of your heart, so I did a little investigation GM> of my own, and discovered that Oracle10g alows
--- To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe To read recent messages - http://freelists.org/archives/oracle-l/09-2004Received on Thu Sep 02 2004 - 21:31:39 CDT
 |
 |