From: "David Litchfield" <davidl@ngssoftware.com.>
To: <bugtraq@securityfocus.com.>
Subject: Oracle and setting the record straight
Date: Thu, 21 Jul 2005 00:40:34 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hey all,
I don't know whether this helps serve any purpose or not, other than the
vent some of my own frustrations; however...
In the wake of the release of Alex Kornbrust's details on some Oracle flaws
there has been some discussion in various places about when I supposedly did
the same thing last year at Blackhat - i.e. release information on Oracle
bugs in the absence of a vendor supplied patch.
For the record, I did _not_ do this.
So, setting the record straight: I was due to present a talk that centered
around a batch of Oracle vulnerabilities at Blackhat last year. I gave
Oracle a heads up and explained that I intended to do so and questioned
whether the patches would be ready. On the day of the talk I was informed by
Oracle that the patches were not ready and so when I got up on the stage I
proceeeded to tell everyone exactly why I could no longer do the talk. i.e.
I can't do the talk because Oracle failed to patch the problems I was going
to talk about.
I did not discuss in any form or fashion the actual bugs.
Cheers and apologies to those who really don't care,
David Litchfield
NGSSoftware
http://www.ngssoftware.com/
