From oracle-l-bounce@freelists.org Fri Oct 7 12:55:54 2005 Return-Path: Received: from air891.startdedicated.com (root@localhost) by orafaq.com (8.12.10/8.12.10) with ESMTP id j97HtdSb028338 for ; Fri, 7 Oct 2005 12:55:44 -0500 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air891.startdedicated.com (8.12.10/8.12.10) with ESMTP id j97HtLvX028229 for ; Fri, 7 Oct 2005 12:55:31 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 95D691F73DA; Fri, 7 Oct 2005 12:54:23 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13346-10; Fri, 7 Oct 2005 12:54:23 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id C38241F7E2C; Fri, 7 Oct 2005 12:54:22 -0500 (EST) Date: Fri, 7 Oct 2005 13:52:18 -0400 From: Ray Stell To: oracle-l Subject: Re: Oracle Security Blasted Message-ID: <20051007175218.GA5973@locust.cns.vt.edu> References: <7F24308CD176594B8F14969D10C02C6C8A0476@exch-mail2.win.slac.stanford.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7F24308CD176594B8F14969D10C02C6C8A0476@exch-mail2.win.slac.stanford.edu> User-Agent: Mutt/1.5.9i X-archive-position: 26568 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: stellr@cns.vt.edu Precedence: normal Reply-To: stellr@cns.vt.edu X-list: oracle-l X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at avenirtech.net X-mailscan-MailScanner-Information: Please contact the ISP for more information X-mailscan-MailScanner: Found to be clean X-MailScanner-From: oracle-l-bounce@freelists.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on air891.startdedicated.com X-Spam-Level: X-Spam-Status: No, hits=-3.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 Is that true? Are the Alert 68 holes still there? I thought I patched that about 4 or 5 times? ;) > The real problem with this is not that the flaws > Alert 68 supposedly fixed > are still exploitable, but rather the approach > Oracle took in attempting to > fix these issues. One would expect that, given the > length of time they took > to deliver, these security "fixes" would be well > considered and robust; > fixes that actually resolve the security holes. The > truth of the matter > though is that this is not the case. On Fri, Oct 07, 2005 at 09:40:36AM -0700, MacGregor, Ian A. wrote: > Our security officer sent me this. > > Title: David Litchfield writes an open letter to the security community > and Oracle customers > Author: Pete Finnigan > Source: Pete Finnigan's Oracle security weblog > > Excerpt: > > David is calling for Oracle customers to contact Oracle and demand a > better security service and those customers should demand fixes. Cesars > comments mirror those of David with some comparisons to Microsoft a few > years ago and he also threatens to release a 0day remote exploit. > > For complete article see: > http://www.petefinnigan.com/weblog/archives/00000576.htm > http://www.securityfocus.com/archive/1/412666/30/0/threaded > http://www.argeniss.com/products.html > > Ian MacGregor > Stanford Linear Accelerator Center > -- > http://www.freelists.org/webpage/oracle-l ============================================================ Ray Stell stellr@vt.edu (540) 231-4109 Tempus fugit 28^D -- http://www.freelists.org/webpage/oracle-l