Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Week of Oracle Database Bugs

Posted by ryuzaki0 on from the your-turn dept.

os2man writes "After the Month of Browser Bugs and the Month of Kernel Bugs, December will have a Week of Oracle Database Bugs. This project will release, every day for a week, a new 0-day bug specific to Oracle in order to show the current status of its [in]security. They are currently asking for new bugs, in order to extend the publication of new exploits a few more days."

4 of 56 comments (clear)

  1. um yeah by stoolpigeon · · Score: 5, Insightful

    without even commenting on the quality of oracle's rdbms, this statement:
    Why not the Month of Oracle Database Bugs?
    We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.
     
    doesn't even make sense. They have enough to do a whole year but ask for people to send in more to extend it to a second week? Because they don't want to compromise their entire zero day horde? Sorry but I just can't take these people too seriously.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    1. Re:um yeah by djbckr · · Score: 3, Insightful

      I was going to mod this up, but I thought I'd post instead. Oracle database work is my livelyhood. Oracle makes no qualms about the number of bugs they have. Many of them are posted for all to see on their MetaLink support site. Many of them are not public for security reasons - and well they should be.

      I've found several Oracle bugs in my dealings with the software. I create a reproduceable test-case and send it to them. They always respond with 1) this is a known bug, and it's bug #nnn; or 2) bug reproduced in lab on version n.n.n - filed as bug #nnn

      If I found a bug related to security, I am *certain* they would do the same, and not publish it. It would be foolish to do so. Why oh why do people like this need to publish security related bugs so everyone can get comprimised? It's simply irresponsible.

      Oracle software is a *huge* moving target, and to fix a bug in something used by so many is a long, involved process. Break something critical in a patch and watch all hell break loose. Let the bug fixers do their jobs. It takes time, and exposing flaws like this does nobody any good.

    2. Re:um yeah by Psychotext · · Score: 3, Insightful

      I think realistically a lot of this can be traced back to the "Unbreakable" marketing campaign. They set themselves up for a major fall. That said, Oracle takes far too long to patch vulnerabilities and worrying about "breaking something critical" is not a good excuse.

      --
      People that believe in their opinions don't post AC.
  2. I feel like we are caught in a .... timeloop by msimm · · Score: 3, Insightful

    They say A) they have enough bugs (erherm, not exploits) to last a year B) they also say (I won't even speculate on the quality of the comment) "we don't want to give away all our 0days".

    So whatever. They had a weeks worth of exploits and they'd like some other people to pony up so they can make it two while holding on to some super-secret exploits. 7337!

    Anyway, slamming on Oracle seems a little silly. Its software, there will be problems.

    --
    Quack, quack.