[21505] in bugtraq
Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener
daemon@ATHENA.MIT.EDU (ian stanley)
Mon Jul 16 00:26:25 2001
Content-Type: text/plain;
charset="iso-8859-1"
From: ian stanley <iandstanley@users.sourceforge.net>
To: "Jair Pedro" <jair@agendasaude.com.br>, <bugtraq@securityfocus.com>
Date: Fri, 13 Jul 2001 16:47:57 +0100
In-Reply-To: <019801c1066a$5d9a7c30$50aaccc8@hits4>
MIME-Version: 1.0
Message-Id: <0107131647570F.08463@linux>
Content-Transfer-Encoding: 8bit
On Friday 06 July 2001 23:24, Jair Pedro wrote:
> After reading the article, I went to oracle to download the patch and was
> very surprised that in order do download the patch I would have to Pay!!!
> To access the restrict area where I could get the patches I would have to
> had a contract with them, which costs about 22% of the licence I already
> have.
>
> I tried to explain them by phone and email that was not my fault the fact
> that their product had this serious security flaw and all they said was
> their assistance in free basis was only during the first 3 months after
> install and "you would have a lot of advantages signing our support
> services".
Depending on your country of origin - you could have some consumer protection.
eg. in the UK you would probably be supported by /the sale of goods act/
in as much as the security of the product ought to be considered critical
to the enterprise concerned - and thus the product be /unfit for the purpose
intended/. Never mind the fact that they may have shipped faulty goods.
Even the possibility of a potential court case being filed against oracle
based ont he being unfit for the purpose - would be rather embarrasing for
oracle.
> I dont want support as far we have almost half a ton of books on our
> development department and all the news group on the internet...
>
> There is nothing I can do now, except to pay to correct their very own
> error, but, on my company, I do not intend to deploy any others product
> which similiar politic$ for patches.
>
> The next time we need a database, it will not be an Oracle.
> I'd like to hear from the list if there are others companies/products with
> such an absurd policy.
>
> tks
>
> Jair
> ----- Original Message -----
> From: "Aaron C. Newman" <aaron@newman-family.com>
> To: "Jeffrey M. Smith" <jsmith@purdue.edu>; <bugtraq@securityfocus.com>
> Sent: Friday, June 29, 2001 8:06 PM
> Subject: RE: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener
>
> > I also could not locate a patch or even a reference to the bug id either.
