Java开发网 Java开发网
注册 | 登录 | 帮助 | 搜索 | 排行榜 | 发帖统计  

您没有登录

» Java开发网 » Database/JDBC/SQL/JDO/Hibernate » Sybase  

按打印兼容模式打印这个话题 打印话题    把这个话题寄给朋友 寄给朋友    该主题的所有更新都将Email到你的邮箱 订阅主题
flat modethreaded modego to previous topicgo to next topicgo to back
作者 防民之口,甚于防川
menzy



版主


发贴: 754
积分: 113
于 2005-04-01 08:56 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
不知道有多少人用Sybase ,不过看了这则新闻,恐怕不会舒服。
Sybase to Security Researchers: Stay Quiet or We'll Sue
By Dennis Fisher and Lisa Vaas
March 22, 2005   

Sybase has threatened legal action against a security research firm if it releases details of vulnerabilities it found last year in Sybase's Adaptive Server Enterprise product, even though Sybase already has issued patches for the flaws.

Such threats of legal action are not unprecedented, but they typically come in the form of phone calls from vendors, not letters from lawyers, researchers say.

NGS Software Ltd. found eight buffer-overrun and denial-of-service vulnerabilities in Sybase ASE 12.5.3 in 2004 and subsequently notified the company of the problems. Sybase Inc., based in Dublin, Calif., released an updated version of the software earlier this year and alerted customers that they should upgrade to the latest version.

NGSS, based in Surrey, England, follows a self-imposed policy of not releasing specific details of any vulnerabilities it finds until after a vendor has either fixed the problem or has had ample time to do so and has decided not to release a patch, usually three months.

The company had planned to release the details of the Sybase flaws on Monday, but that idea was scuttled when NGSS received a letter from Sybase's legal department informing NGSS that it would be subject to legal action if the company went ahead with its plans to publish the details.

David Litchfield, a research scientist and one of the founders of NGSS, told eWEEK.com that the crux of the matter involves the license agreement for the Developer Edition of Sybase ASE, which reads, in part: "Results of benchmark or other performance tests run on the program may not be disclosed to any third party without Sybase's prior written consent."

eWEEK.com Special Report: Database Security

According to Litchfield, Sybase's letter states that, due to the license agreement clause, the company will consider it a "material breach" if NGSS publishes details on the security flaws.

Sybase is thus equating NGSS' work of finding security bugs as being the same as benchmarking and performance testing—a unique interpretation, at least in the history of NGSS.

"It's shocking," said NGSS researcher Mark Litchfield—David Litchfield's brother—in an interview with eWEEK.com. "If you take at least the past eight years, we've never had a response like this. The typical response [from vendors] is favorable.

"They'll let us know when a patch has come in, we'll test it, they'll put an advisory out, we'll put an advisory out, they'll say, 'Come here to download the patch,' and at that point we'll release an advisory saying there's a vulnerability and this is where you can get the patch."

NGSS' working relationship with Sybase has been "excellent" up to now, Mark Litchfield said. "This is unprecedented for a vendor and for us, and we've dealt with IBM, Microsoft [Corp.], Oracle [Corp.], all the big ones," he said. "This is completely new for us."



话题树型展开
人气 标题 作者 字数 发贴时间
7070 防民之口,甚于防川 menzy 3024 2005-04-01 08:56

flat modethreaded modego to previous topicgo to next topicgo to back
  已读帖子
  新的帖子
  被删除的帖子
Jump to the top of page

   Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent
Copyright © 2002-2021 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号-1
客服电话 18559299278    客服信箱 714923@qq.com    客服QQ 714923