Brahmanand Reddy wrote:
> CVE-2018-15473 is a "user existence oracle bug which does not meet our
> criteria for security advisories".
>
> You mean this vulnerability which will impact/affects only for Oracle
> base? kindly confirm.
"Oracle" in the ancient Greek sense of a person through whom a d
On Mon, Dec 17, 2018 at 10:02:36AM -0800, Hugh LaMaster wrote:
> On 12/17/18 6:14 AM, Cameron, Frank J wrote:
> > 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a
> > defense-in-depth, designed to head off future vulnerabilities by
> > making shadow-tables read-o
On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security
wrote:
> Doesn't base also need to be patched?
> AFAIK pkg uses sqlite database.
Does pkg allow running arbitrary untrusted SQL?
'The vulnerability only exists in applications that allow a potential
attacker to run arbitr
Andrew Duane wrote:
> I wouldn't think Javascript would have the accurate timing required to
> leverage this attack, but I don't really know enough about the language.
"The performance.now() method returns a DOMHighResTimeStamp, measured
in milliseconds, accurate to five thousandths of a milliseco
Eric McCorkle wrote:
> On 01/05/2018 11:40, Nathan Whitehorn wrote:
> > POWER has the same thing. It's actually stronger separation, since user
> > processes don't share addresses either -- all processes, including the
> > kernel, have windowed access to an 80-bit address space, so no process
> > c
