Sorry I saw this after posting about sgepasswd before. Rayson Ho <[email protected]> writes:
> Note that Oracle also fixed the code injection bug found by William in > their CPU (Critical Patch Update) release today. That suggests the part of the problem I found is unfixed, as it just says "qrsh". > Andy shared a buffer overflow issue in sgepasswd (first with me, and > then he also shared it with all other forks - I only knew one had been reported and had to assume I'd already fixed it after auditing sgepasswd. (For what it's worth, the scanf overflows are detected on a Red Hat 5 system with the compilation options used for RPM builds.) > we didn't want to put > security bug fixes as features in marketing slides...). Unfortunately no-one has made a reasonable proposal about how to handle such things in future. I don't think it's acceptable to have to hold back fixes and development for months to fit Oracle's schedule, especially when commercial customers get fixes in the meantime or to be told one can't even seek review of fixes. To be fair, Andy Schwierskott sounds sympathetic, but it's not specific to OGE; we at least seem to be better off than distributors of MySQL, like Debian. -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
