Date: Fri, 20 Oct 2000 22:53:13 -0600 From: Kurt Seifried <seifried@SECURITYPORTAL.COM> Subject: LSLID:2000102004 - Oracle [response from Oracle] To: LINUX-SECURITY@LISTSERV.SECURITYPORTAL.COM LSLID:2000102004 [mod note]: they accidently shipped it, and they consider it pre-alpha software. Whooops, great QA job guys. The good news is a fixed version should be out next week. ========= Hi Bugtraq Moderator - This is in response to the above posting by pask@plazasite.com (Juan Michael Pascual Escrib). I did try to post online but apparently I need to register to do this. (Aside - it would be helpful if you had more readily-apparent information on how exactly one does register to post online. I could not seem to find this information on the BUGTRAQ site. Sorry if it WAS obvious and I missed it!) Oracle's response is as follows: The Linux version of Oracle Internet Directory (mentioned in the alert) is not a production release from Oracle; though Oracle Internet Directory 2.0.6 was never released on Linux, the OID binaries were accidentally shipped with the 8.1.6 Linux port and apparently install by default. Our position is that this should be regarded as a "pre alpha" product, is not supported, and should under no circumstances put into production in a customer's environment. We apologize for our mistake and regret and inconvenience this has caused our customers. We are also reviewing current production releases of OID to ensure that this problem does not occur in other releases and platforms, and will provide BUGTRAQ with additional information should the scope of the problem extend to production versions of product. We appreciates receiving first notice of any security issues pertaining to any of our products, and apologize for any delays encountered in responding to those who reported this one. Oracle encourages all Linux directory developers to download the upcoming production version of Oracle Internet Directory, v2.1.1, part of the Oracle 8.1.7 (8i Release 3) server media pack, from http://technet.oracle.com/, when it becomes available early next week. Regards Mary Ann Davidson ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mary Ann Davidson Director, Security Product Management Server Technologies Oracle Corporation (650) 506 5464 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ No ka moana ku'u mele; no na halu au e hula ai. "From the ocean comes my song; of the waves I dance my dance." There is no problem a good day of surfing won't cure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~