[ED: Deleted Per Oracle's Request]



  • This message (Major bugs in ODP.NET Driver 10.2.0.2 Beta) was removed per request from a developer at Oracle:

    Would you be willing to delete this thread?

    http://thedailywtf.com/forums/thread/80071.aspx

    It exposes a security issue with our .NET provider. When the poster contacted us about it, we immediately stopped our production release and fixed the security hole.



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    Why do they use "key.GetHashCode()" instead of "key"? The hashtable itself is able to handle collissions(), but of course it needs the real key, not the hashvalue of the key, to do that.



    (
    ) if not, it's time to dump .net



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    I'm unable to recreate this error.  [ ... removed ... ]



  • I just got it.  [ ... removed ...]



  • Aaand the new version works properly, at least on my machine.  Upgrade to 10.2.0.2.20 ASAP!



  • bug is only present in

    10.2.0.2.10 Beta

    it is solved in

    10.2.0.2.20 Final


  • ♿ (Parody)

    Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    Sorry guys, I details from the post for security reasons.



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    @CeeJay said:

    Post remove per request from a developer at Oracle:

    Would you be willing to delete this thread?

    http://thedailywtf.com/forums/thread/80071.aspx

    It exposes a security issue with our .NET provider. When the poster contacted us about it, we immediately stopped our production release and fixed the security hole.

     

    HAHAHAHAHAHA. 

    I zee noth-ing!



  • @Rotary Jihad said:

    Wow. This got quashed really fast in a few places. http://www.google.com/search?hs=XZ&hl=en&lr=&client=opera&rls=en&q=ODP.NET+Driver+10.2.0.2+Beta+security+bug&btnG=Search You know when Microsoft does this its decried as near criminal. Are the fast patches as well as the insider silencing normal in the Oracle community?

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

     



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    I'm sorry - we're not allowed to discuss Oracle bugs in the I-Hate-Oracle-Club? 

    (I hate to say it but) WTF?



  • At least they've fixed the bug.  It could be worse.


  • ♿ (Parody)

    @codenator said:

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

    Why? Beacause I'm not a dick.

    A fellow developer (who happens to work at Oracle) emailed me personally and asked very nicely if I could remove it. Should I have said say, "no your product is teh sux0rs and you are a l00zer, how could you work for Oroable?! I must expose the truth about your product!!!"

    If Oracle's Legal Machine emailed me and demanded I remove it or face legal action, I still would have. But that's because I'm a pussy.

    With the DMCA, they can shut down websites. Heck, they could even sue. And in America, lawyers cost money. Lots of it. Yeah, they woulda lost. Yeah, they woulda had to reimburse my legal fees. Keyword there is "reimburse" -- anyone wanna guess the retainer I'd need for such a suit? I'd say $5,000, minimum. Yeah, I'm all for free speech, blah blah blah, but don't sign me up as the martyr.

    Personally, the fact that Oracle emailed me (yes, I verified it was from them) and requested I remove it is much funnier than the fact that ODP.NET has a bug. In fact, I'm even going to change the title of this post because I think it's funnier that way.



  • [quote user="codenator"]

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

     [/quote]

     

    Wow, that post has "teenager" written all over it.   You don't think it's a bit irresponsible to have a public posting of a security exploit on a widely-used application?  It's not only oracle's problem, it's also a potential problem for everyone using their product...



  • [quote user="shadowman"][quote user="codenator"]

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

     [/quote]

     

    Wow, that post has "teenager" written all over it.   You don't think it's a bit irresponsible to have a public posting of a security exploit on a widely-used application?  It's not only oracle's problem, it's also a potential problem for everyone using their product...

    [/quote]

     

    Thanks for you input, you sound like a complete upper management idiot whom I couldn't possibly begin to explain software enginerring responsibility to. By the way I'm well past those teenage years and probably been in this business more than most.

     Somehow I get the feeling you are a hacker who pumps out any old crap onto your customers and then release quick fixes to cover your incompetence.

    We call it all care no responsibility.....Oracle's devs are the company's own worst enemy.....their product suite is a pile of stinking crap

     What's the risk in not exposing the risk in a widely used application? huh c'mon smartarse...

     It's Oracle's problem and they should be named and shamed. Why not exactly?



  • [quote user="Alex Papadimoulis"]

    Why? Beacause I'm not a dick.

    [/quote]

    Sometimes I tend to disagree

    [quote user="Alex Papadimoulis"]

    A fellow developer (who happens to work at Oracle) emailed me personally and asked very nicely if I could remove it. Should I have said say, "no your product is teh sux0rs and you are a l00zer, how could you work for Oroable?! I must expose the truth about your product!!!"

    [/quote]

    I'm sorry is that credability being flushed down the toilet?

    [quote user="Alex Papadimoulis"]

    If Oracle's Legal Machine emailed me and demanded I remove it or face legal action, I still would have. But that's because I'm a pussy.

    With the DMCA, they can shut down websites. Heck, they could even sue. And in America, lawyers cost money. Lots of it. Yeah, they woulda lost. Yeah, they woulda had to reimburse my legal fees. Keyword there is "reimburse" -- anyone wanna guess the retainer I'd need for such a suit? I'd say $5,000, minimum. Yeah, I'm all for free speech, blah blah blah, but don't sign me up as the martyr.

    [/quote]

    On what grounds exactly? c'mon lawyer hot shot? I laughed at this, have you not proven this flaw to be true, this is not slander or false accusations so c'mon explain it.

    [quote user="Alex Papadimoulis"]

    Personally, the fact that Oracle emailed me (yes, I verified it was from them) and requested I remove it is much funnier than the fact that ODP.NET has a bug. In fact, I'm even going to change the title of this post because I think it's funnier that way.

    [/quote]

    ok true...



  • codenator,

    Just because you happen to be 30 (or however old you are) doesn't mean you aren't acting like a teenager.  

     

    Also, I think it's funny that Oracle reads the Oracle Hate Club Board. 



  • [quote user="tster"]

    codenator,

    Just because you happen to be 30 (or however old you are) doesn't mean you aren't acting like a teenager.  

    [/quote]

     

    Thanks for your pointless opinion.....I've read some of your posts on this site and your opinion doesn't have an weight with me.

     

    what part of questioning this is teenager behaviour?

     


  • ♿ (Parody)

    [quote user="codenator"][quote user="Alex Papadimoulis"]Heck, they could even sue. [/quote]On what grounds exactly? c'mon lawyer hot shot? I laughed at this[/quote]

    Are you serious? Do you have any idea how the civil courts work in the US?

    Unlike a criminal case, you do not need "probable cause" to bring suit against another. So long as you fill out the right paperwork and pay the court fees, you can sue ANYONE for ANY REASON whatsoever.

    If the suit is frivolous, you MAY be lucky enough to have a competent lawyer file a motion for summary judgment. Wanna guess how much that'll cost? But chances are the judge will want to hear the case. That's where the real money gets spent. If you're REALLY lucky, your lawyer might be able to win  countersuit for his fees.

    [Harsh comments removed]

    OK, I admit, I was embarassingly harsh there. It was late, I was tired, etc.

    But my point stands: the moment you get sued, you've already lost. Be it time, money, sanity, etc. That's just how it works in the US.



  • I guess Alex has better things to worry about than that. You jump first.

    Btw, this link is especially for you, you know why. 


  • ♿ (Parody)

    [quote user="codenator"]What do you mean you may be lucky enough to get a competent lawyer? [/quote]

    How many trial lawyers do you know? If you thought the software industry was filled with incompetence, you need to check out the legal industry. Half the lawyers out there are walking WTFs.

    [quote user="codenator"]lucky to win countersuit for his fees?[/quote]

    Do you really think that the winning defendent gets his legal bill picked up by the plantif? That ain't how it works in Ohio or any other state I know of: you need to countersue and demonstrate the suit was baseless and frivelous.

    Oh wait a minute, perahps in your fantasy civil legal system, one can just defend himself? That might be how it works in Judge Judy or small claims, but in the real court system you'll find yourself in default or contempt quicker than you can say "pro se."

    [quote user="codenator"]Sound to me like you have no idea and a little scared to stand up to those bullies in Oracle, they are bluffing and it looks like they are winning.  [/quote]

    No. "They" didn't threaten me or bully me at all; a developer asked me nicely. It was simply funnier to "censor" it. Plus, that had the benefit of reducing the minimal risk of any trouble to zero. I just don't care enough about the IHOC to put up a fight about it.

    On the other hand, if the "real Virtudyne" were to come to me and do something, I'd stand up for myself because I care about TDWTF. But then again, it'd be pretty silly for them to take any action (be it a C&D, subpoena, libel suit, etc) because that would definitely make a front-page post and most certainly would identify who the real company behind Virtudyne is ...

    Yes, I do have integrity. But I also have wisdom and know what battles are worth fighting.



  • Call them back and tell them you want to put your content back, when can we expect patch to be distributed?

     

    >8)

    -viz 



  • [quote user="Rotary Jihad"]Wow. This got quashed really fast in a few places.

    You know when Microsoft does this its decried as near criminal.

    Are the fast patches as well as the insider silencing normal in the Oracle community?[/quote]

    It's called social responsibility.

    If you post an unknown exploit in public, you endanger a lot of people's information, possibly your own. Security 101. The harm is far greater than the good of publishing it.

    think about it...

    However, there needs to be a timeframe when they'll fix it and it had better be fast. Once people know that there is an issue with something like the .Net provider, every h4x0r and his brother will be poking at it to find out what that is, the clock is ticking and it's only a matter of time before the wrong people figure it out. In fact, If I were the moderator of this board, I'd clean up the parts that specify where the vulnerability is, as well as the exploit.

    Once it's patched and distributed it's perfectly ok to release the exploit for educational purposes.
     

     -Viz
     



  • @apapadimoulis Now that the bug has been fixed for several years, care to share what it used to be?


  • Java Dev

    @twelvebaud Beta version has a bug. Which was fixed. News at 11. Let him who never had this happen to them cast the first stone.



  • @pleegwat Usually security bugs are only embargoed until fixes are universally-ish distributed, and seeing them helps people learn what not to do -- see the post immediately (hah) above mine. I'm curious what Oracle did wrong to make sure I don't make the same mistake, no matter how unlikely or idiotic that mistake may be.

    And if I get to make fun of them for it, so much the better.



  • This post is deleted!


  • @twelvebaud There's a blog page here which lists changes in between the .10 beta and the .20 final version. The ones that look the most likely to me to be security related are these:

    1. DllPath Registry Value (ODP.NET for .NET Framework 1.x and 2.0)
      The Oracle.DataAccess.dll searches for dependent unmanaged DLLs (i.e. Oracle Client) based on the following order:i) directory of the application/executableii) directory specified by HKEY_LOCAL_MACHINE\Software\Oracle\ODP.NET\DllPathiii) directories specified by the PATH environment variable
      Upon an install of ODP.NET, the DllPath registry value of type REG_SZ will be set to the %ORACLE_HOME%\bin directory where the corresponding dependent DLLs are installed.
      Note that the DllPath registry value takes effect only on Windows XP, Windows Server 2003, and Windows Server 2003 R2. If ODP.NET is installed on Windows 2000, ODP.NET will simply rely on the application directory and PATH for loading dependent unmanaged DLLs.
    2. ODP.NET and Dependent Unmanaged DLL Mismatch (ODP.NET for .NET Framework 1.x and 2.0)
      To enforce the proper usage of Oracle.DataAccess.dll assembly with properunmanaged DLLs, an exception will be raised if Oracle.DataAccess.dll notices it has loaded a mismatching version of a dependent unmanaged DLL.
    3. UDT/Objects Support (ODP.NET for .NET Framework 1.x and 2.0)
      This feature has been removed for 10.2.0.2.20.

    Of course, this doesn't help much with knowing what they did wrong. And this list might not include the bugfix anyway. It's all I could find from a quick search, though.


  • Notification Spam Recipient

    :wtf: Who found out how to troll through the thread lists in reverse order again???



  • @tsaukpaetra "GODDAMNIT FBMAC"™


  • Notification Spam Recipient

    @sockpuppet7 said in [ED: Deleted Per Oracle's Request]:

    @tsaukpaetra "GODDAMNIT FBMAC"™

    You know, if you asked nicely I'm sure they'd let you have the account back...



  • @tsaukpaetra we're not allowed to have more than 42 accounts


  • Notification Spam Recipient



  • @sockpuppet7 Surely there are more than that many boomzilla alts? Or is that a special case?


  • Trolleybus Mechanic

    @apapadimoulis said in [ED: Deleted Per Oracle's Request]:

    Sorry guys, I details from the post for security reasons.

    How does details increase security?!? You should have REMOVED details instead. Hopefully it isn't too late.

    @codenator said in [ED: Deleted Per Oracle's Request]:

    Since when does TDWTF sensor articles?

    Since always. We have a very fine tuned bullshit detector.


  • Considered Harmful

    @lorne-kates A couple of your articles have been complete bullshit too. Like that one with the robotic throwing arm.


  • 🚽 Regular

    @codenator said in [ED: Deleted Per Oracle's Request]:
    Since when does TDWTF sensor articles?

    @lorne-kates said in [ED: Deleted Per Oracle's Request]:

    Since always. We have a very fine tuned bullshit detector.

    The detector has very fine tuned censors.



  • @lorne-kates he accidentally a word



  • @sockpuppet7 But he purposefully the details from the post.


  • Winner of the 2016 Presidential Election

    @twelvebaud said in [ED: Deleted Per Oracle's Request]:

    @apapadimoulis Now that the bug has been fixed for several years, care to share what it used to be?

    Maybe something to do with:

    @ammoq said in [ED: Deleted Per Oracle's Request]:

    Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    Why do they use "key.GetHashCode()" instead of "key"? The hashtable itself is able to handle collissions(), but of course it needs the real key, not the hashvalue of the key, to do that.



    (
    ) if not, it's time to dump .net


Log in to reply