| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole
Good. Thanks for that. Now I can go to bed and sleep at night(*).
Regards
HJR
(*) The maker of this Earth warrants that the author shall sleep as provided
in Clause 1 of the above post, except in the event of war, snoring, cats
deciding they need to be fed, or kangaroos deciding they need to breed.
"Niall Litchfield" <n-litchfield_at_audit-commission.gov.uk> wrote in message
news:3cbffc06$0$233$ed9e5944_at_reading.news.pipex.net...
> Yes it is a customer alert doc id 185074.1 published 18/04/02
>
>
> --
> Niall Litchfield
> Oracle DBA
> Audit Commission UK
> *****************************************
> Please include version and platform
> and SQL where applicable
> It makes life easier and increases the
> likelihood of a good answer
>
> ******************************************
> "Howard J. Rogers" <dba_at_hjrdba.com> wrote in message
> news:a9oru7$hej$1_at_lust.ihug.co.nz...
> > What I'd like to know is: is this now a customer alert?
> >
> > I have no doubt that the problem was simply one of not realising the
> import
> > of the matter.
> >
> > I didn't realise it myself. The *very* original post mentioned being
able
> to
> > select from any table. Jonathan happened to mention that a view on a
> select
> > of any table meant DML was possible. I happened to wonder whether a view
> on
> > a data dictionary table would allow you to wreck the database. If you
> > weren't primed to follow that chain of reasoning, you wouldn't have
> thought
> > too badly of a bug here and there, which all products have.
> >
> > The lack of a patch for NT is unfortunate, to say the least. But
> otherwise,
> > the speed of response has been good.
> >
> > But if no-one knows about it, it's no use. I'd like to see an alert...
at
> > least that way, it's your own fault if you get bitten.
> >
> > Regards
> > HJR
> >
> >
> >
> > "Connor McDonald" <connor_mcdonald_at_yahoo.com> wrote in message
> > news:3CBF3140.2124_at_yahoo.com...
> > > Niall Litchfield wrote:
> > > >
> > > > "Jonathan Lewis" <jonathan_at_jlcomp.demon.co.uk> wrote in message
> > > > news:1019148031.14139.0.nnrp-14.9e984b29_at_news.demon.co.uk...
> > > > >
> > > > > I think that your judgement on this case may
> > > > > be a bit harsh. Given that it took about 24 hours
> > > > > for the patch to appear from the moment the
> > > > > post hit the newsgroup, it clearly wasn't a case
> > > > > of:
> > > > > "It's too difficult / dangerous / expensive to fix,
> > > > > let's hope no-one else notices before 9.2"
> > > >
> > > > I'd say that Oracles reaction once they realized the problem was
real
> > and
> > > > serious has been excellent. As someone who has also to support other
> > vendors
> > > > products where we often get a delay before patch availability and
> > oftentimes
> > > > several patches for the same problem. That all said I do feel that a
> bug
> > of
> > > > this seriousness shouldn't have slipped through QA. I have some
> sympathy
> > too
> > > > for the metalink analyst(s?) who missed the significance of what
they
> > were
> > > > seeing. that is all to easy to do especially in a front line support
> > > > environment.
> > > >
> > > > --
> > > > Niall Litchfield
> > > > Oracle DBA
> > > > Audit Commission UK
> > >
> > > Agreed. My only criticism is that they bug has now gone from
> > > 'published' to 'unpublished'. I applaud the speed at which they
> > > backported the patch...I'm not so sure about the coverup..
> > >
> > > Cheers
> > > Connor
> > > --
> > > ==============================
> > > Connor McDonald
> > >
> > > http://www.oracledba.co.uk
> > >
> > > "Some days you're the pigeon, some days you're the statue..."
> >
> >
>
>
Received on Fri Apr 19 2002 - 06:40:03 CDT
 |
 |