Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Why no ASE security fixes ?

3 posts in General Discussion Last posting was on 2009-12-17 17:36:47.0Z
Murali Posted on 2009-12-15 09:15:23.0Z
Sender: 70a.4b275284.1804289383@sybase.com
From: Murali
Newsgroups: sybase.public.ase.general
Subject: Why no ASE security fixes ?
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4b2753ab.719.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 15 Dec 2009 01:15:23 -0800
X-Trace: forums-1-dub 1260868523 10.22.241.41 (15 Dec 2009 01:15:23 -0800)
X-Original-Trace: 15 Dec 2009 01:15:23 -0800, 10.22.241.41
Lines: 8
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28766
Article PK: 78008

Does anyone know why ASE does not release security fixes,
like MS SQL security patches or Oracle's CPU's ?

I mean, why are we not hearing about denial-of-service
attacks or SQL Injection or security vulnerability for ASE
and patches thereof, like we hear for other RDBMS ?

Thanks in advance.


Rob V [ Sybase ] Posted on 2009-12-15 14:22:55.0Z
Reply-To: "Rob V [ Sybase ]" <robv@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY>
From: "Rob V [ Sybase ]" <robv@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY>
Newsgroups: sybase.public.ase.general
References: <4b2753ab.719.1681692777@sybase.com>
Subject: Re: Why no ASE security fixes ?
Lines: 45
Organization: Sypron BV / TeamSybase / Sybase
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-RFC2646: Format=Flowed; Original
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4b279bbf$1@forums-1-dub>
Date: 15 Dec 2009 06:22:55 -0800
X-Trace: forums-1-dub 1260886975 10.22.241.152 (15 Dec 2009 06:22:55 -0800)
X-Original-Trace: 15 Dec 2009 06:22:55 -0800, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28767
Article PK: 78010

Because these don't happen so much for ASE installations. There have been
such fixes very occasionally (I remember one back in 2000 or so).
Some things I've heard about this: a difference with Oracle is that ASE has
alwas been designed as client-server from day 1, whereas Oracle used to be
monolithic and got client/server only later. I guess MS-SQL's close
integration with Windows has tied the database to a known security
weakness...
Also, it can't be for lack of interesting systems to hack, becuase ASE tends
to run plenty high-value systems -- I guess typically such systems are
pretty well protected.

Let's count our blessings....

HTH,

Rob V.
-----------------------------------------------------------------
Rob Verschoor

Certified Sybase Professional DBA for ASE 15.0/12.5/12.0/11.5/11.0
and Replication Server 15.0.1/12.5 // TeamSybase

Author of Sybase books (order online at www.sypron.nl/shop):
"Tips, Tricks & Recipes for Sybase ASE" (ASE 15 edition)
"The Complete Sybase ASE Quick Reference Guide"
"The Complete Sybase Replication Server Quick Reference Guide"

mailto:rob@YOUR.SPAM.sypron.nl.NOT.FOR.ME
http://www.sypron.nl
Sypron B.V., Amersfoort, The Netherlands
Chamber of Commerce 27138666
-----------------------------------------------------------------

<Murali> wrote in message news:4b2753ab.719.1681692777@sybase.com...
> Does anyone know why ASE does not release security fixes,
> like MS SQL security patches or Oracle's CPU's ?
>
> I mean, why are we not hearing about denial-of-service
> attacks or SQL Injection or security vulnerability for ASE
> and patches thereof, like we hear for other RDBMS ?
>
> Thanks in advance.


TRUTH Posted on 2009-12-17 17:36:47.0Z
Sender: 72f0.4b266be9.1804289383@sybase.com
From: TRUTH
Newsgroups: sybase.public.ase.general
Subject: Re: Why no ASE security fixes ?
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4b2a6c2f.56e4.1681692777@sybase.com>
References: <4b279bbf$1@forums-1-dub>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 17 Dec 2009 09:36:47 -0800
X-Trace: forums-1-dub 1261071407 10.22.241.41 (17 Dec 2009 09:36:47 -0800)
X-Original-Trace: 17 Dec 2009 09:36:47 -0800, 10.22.241.41
Lines: 65
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28785
Article PK: 78027


> Because these don't happen so much for ASE installations.
> There have been such fixes very occasionally (I remember
> one back in 2000 or so). Some things I've heard about
> this: a difference with Oracle is that ASE has alwas been
> designed as client-server from day 1, whereas Oracle used
> to be monolithic and got client/server only later. I guess
> MS-SQL's close integration with Windows has tied the
> database to a known security weakness...

DUH.. lol

> Also, it can't be for lack of interesting systems to hack,
> becuase ASE tends to run plenty high-value systems -- I
> guess typically such systems are pretty well protected.
>
Not true. Most ASE critical sites are OLD. They have many
layers of security before even anyone can reach the DB
server and try a DB specific Hack.

Oracle/MS-SQLserver is used by every convenience store/every
stall in the mall (point is, oracle is used by too many
people who do not employ layers and layers of security)

For Hackers its easier to exploit Oracle/MS-SQlserver not
because they have issues and ASE dosent. ASE not exploited
in any way dosent mean its BETTER product - security wise.



> Let's count our blessings....
>
> HTH,
>
> Rob V.
> ----------------------------------------------------------
> ------- Rob Verschoor
>
> Certified Sybase Professional DBA for ASE
> 15.0/12.5/12.0/11.5/11.0 and Replication Server
> 15.0.1/12.5 // TeamSybase
>
> Author of Sybase books (order online at
> www.sypron.nl/shop): "Tips, Tricks & Recipes for Sybase
> ASE" (ASE 15 edition) "The Complete Sybase ASE Quick
> Reference Guide" "The Complete Sybase Replication Server
> Quick Reference Guide"
>
> mailto:rob@YOUR.SPAM.sypron.nl.NOT.FOR.ME
> http://www.sypron.nl
> Sypron B.V., Amersfoort, The Netherlands
> Chamber of Commerce 27138666
> ----------------------------------------------------------
> -------
>
> <Murali> wrote in message
> > news:4b2753ab.719.1681692777@sybase.com... Does anyone
> > know why ASE does not release security fixes, like MS
> SQL security patches or Oracle's CPU's ? >
> > I mean, why are we not hearing about denial-of-service
> > attacks or SQL Injection or security vulnerability for
> > ASE and patches thereof, like we hear for other RDBMS ?
> >
> > Thanks in advance.
>
>
>