IBM Corp. has fixed vulnerabilities in its DB2 Universal Database, which an attacker could use to remotely trigger
a buffer overflow.
London-based Next Generation Security (NGS) Software Ltd. discovered the "critical" vulnerabilities and said in an advisory it will wait three months before releasing full details on what the problems are and how exactly they can be exploited.
"Full details will be published on the 1st of December 2004," the company said in its advisory. "This three-month window will allow DB2 database administrators the time needed to test and apply the Fixpak before the details are released to the general public. This reflects NGSSoftware's new approach to responsible disclosure."
Specifically, the vulnerabilities affect DB2 8.1 Fixpak 6 and earlier, and DB2 7.x Fixpak 11 and earlier.