Don't worry, Oracle sucks, probably they won't say anything. Just to clarify(oh my god, i feel sorry about Oracle users, it's a pain in the ass to find the correct patches, to install them, etc.) the patch that fix these vulnerabilities is Patch 3 from January 2 it goes on top of Patchset 3 (9.2.0.4). If you (all people) don't understand don't worry i also don't understand much this Oracle patch stuff:), but if you are paying to get the patches and support then it should be easy, shouldn't be?
Cesar. --- Chris Anley <[EMAIL PROTECTED]> wrote: > > Hey Chris. > > Hey Cesar. > > > > > First of all, your advisories are a bit wrong: > > ...Systems Affected: Oracle 9 prior to 9.2.0.3 > > > > Actually Systems affected are Oracle 9 prior to > > 9.2.0.4 (Patchset 3). > > > > The date in Metalink site of the Patch that fixes > > these vulnerabilities is January 2 and your > advisories > > are from December. > > > > I could be wrong, Oracle patches numeration, > dates, > > etc. really sucks, but you could be wrong too as > the > > version of Oracle your advisory said it was > affected > > :). > > Interesting. The information we had direct from > Oracle was that > these issues were fixed in 9.2.0.3. Perhaps Oracle > could resolve the > discrepancy? I'm willing to believe that either, or > neither of > us is right :o) > > > The fact is that i contacted Oracle before the fix > was > > available, they released the fix and they didn't > told > > me anything, they didn't released any public alert > and > > your advisory isn't in any public list, it's only > on > > your site. Finally, given that the date of the > patch > > that fixes these vulns is January 2, you published > the > > advisories in your site before the fix was > available. > > Again i could be wrong. > > As I say, we had definitive information from Oracle > that the issues were > fixed in 9.2.0.3; we've heard nothing to the > contrary from Oracle or > anyone else up until your post. So it would be good > to get to the > bottom of this; there's definitely a communication > breakdown somewhere. > > > BTW: i'm curious, Why you didn't posted those > > advisories to public mailing lists? > > As far as we were concerned, these were old bugs. If > current versions > aren't affected, or if the bugs are of low severity, > we tend not to issue > advisories to mailing lists. > > -chris. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html