Not sure if this has posted here or not but ....

http://www-1.ibm.com/support/docview...GU8G&dc=D600&u
id=swg21242921&loc=en_US&cs=UTF-8&lang=en

Cheers
Paul

Paul Watson
Tel: +44 1414161772
Mob: +44 7818003457
Web: www.oninit.com

GO FURTHER with DB2
GET THERE FASTER with Informix.
Attend the IDUG 2006 European Conference.
Vienna, Austria. 2-6 October 2006
Visit http://www.iiug.org/conf for more information.

Ian Michael Gumby wrote:
> Yes the buffer overflow issues are a pain and frankly they shouldn't occur
> if IBM did formal code reviews. Or rather they should be caught and
> corrected prior to release.
>
> "Paul Watson" <paul@oninit.com> wrote in message
> news:018b01c6b6b5$b879e590$5900a8c0@arnold...
>> Not sure if this has posted here or not but ....
>>
>> http://www-1.ibm.com/support/docview...GU8G&dc=D600&u
>> id=swg21242921&loc=en_US&cs=UTF-8&lang=en

However I'm not surprised that it was David Litchfield that found them.
He is seriously bright.

Clive Eisen wrote:
> Ian Michael Gumby wrote:
> > Yes the buffer overflow issues are a pain and frankly they shouldn't occur
> > if IBM did formal code reviews. Or rather they should be caught and
> > corrected prior to release.
> >
> > "Paul Watson" <paul@oninit.com> wrote in message
> > news:018b01c6b6b5$b879e590$5900a8c0@arnold...
> >> Not sure if this has posted here or not but ....
> >>
> >> http://www-1.ibm.com/support/docview...GU8G&dc=D600&u
> >> id=swg21242921&loc=en_US&cs=UTF-8&lang=en
>
> However I'm not surprised that it was David Litchfield that found them.
> He is seriously bright.

The recent problems with IDS started in 10.0.xC4 and 5....these were
due to the introduction of features into FixPacks, which historically
did not happen. And to add to the misery, since the new features were
in, the testing was cut short. thus the regressions. I have sat with a
very large customer that could not believe what they were seeing in
10..they're comment ..."was this stuff even tested?!" I would encourage
anyone to contact the Lab Director, Jerry Kesse (sp?) - according to
one ex-IBM'er, a favorite phrase of his is "I OWN the product"....so
maybe he could own the regressions too?

A soon-to-be-ex-IBM-er....

me wrote:
> The recent problems with IDS started in 10.0.xC4 and 5....
If you RTFA you'll see all the vulnerabilities were actually fixed in
the interim versions you mention:
http://www-1.ibm.com/support/docview...id=swg21242921

From a news article:
The good news, Litchfield said, is that IBM has already addressed the
flaws in versions 7.31.xD9, 9.40.xC8, or 10.00.xC4. Unlike his often
strained exchanges with Oracle, Litchfield said IBM has been responsive."
....
"He again used Oracle as an example, noting how the database giant has
fixed more than 100 serious flaws but has yet to address another
400-plus vulnerabilities, which is the estimated number of unpatched
flaws according to his work and that of other researchers."
(From
http://searchsecurity.techtarget.com...207274,00.html
)

> these were due to the introduction of features into FixPacks, which
> historically did not happen

Minor features often go into interim releases and are mentioned in the
release notes.

> since the new features were
> in, the testing was cut short

IDS 10 interims undergo more testing than any previous release.
10.00.xC5 is the most stable, secure and fastest release yet.

> according to
> one ex-IBM'er, a favorite phrase of his is "I OWN the product"

It is normal to refer to product and development managers as "owners" of
their products and has never been taken literally (until now it seems).

Guy


> Clive Eisen wrote:
>> Ian Michael Gumby wrote:
>>> Yes the buffer overflow issues are a pain and frankly they shouldn't occur
>>> if IBM did formal code reviews. Or rather they should be caught and
>>> corrected prior to release.
>>>
>>> "Paul Watson" <paul@oninit.com> wrote in message
>>> news:018b01c6b6b5$b879e590$5900a8c0@arnold...
>>>> Not sure if this has posted here or not but ....
>>>>
>>>> http://www-1.ibm.com/support/docview...GU8G&dc=D600&u
>>>> id=swg21242921&loc=en_US&cs=UTF-8&lang=en
>> However I'm not surprised that it was David Litchfield that found them.
>> He is seriously bright.
>
> The recent problems with IDS started in 10.0.xC4 and 5....these were
> due to the introduction of features into FixPacks, which historically
> did not happen. And to add to the misery, since the new features were
> in, the testing was cut short. thus the regressions. I have sat with a
> very large customer that could not believe what they were seeing in
> 10..they're comment ..."was this stuff even tested?!" I would encourage
> anyone to contact the Lab Director, Jerry Kesse (sp?) - according to
> one ex-IBM'er, a favorite phrase of his is "I OWN the product"....so
> maybe he could own the regressions too?
>
> A soon-to-be-ex-IBM-er....
>