Re: 02/11/2003 security alerts

As a rule, I stay away from the "one-off" or "standalone" patches for the RDBMS, unless I actually need the patch or it has been recommended for something specific. The so called security patches don't always become necessary -- ie, I haven't applied all the security patches. Another grouse is that these patches are only being released on the latest patchset, ie 8.1.7.4 Now I have a number of databases on 8.1.7.2 and 8.1.7.3 and I'd have to get downtime to first take them to 8.1.7.4 !

Moreover, with a "suite" Oracle Applications guessing the APPS password would be a much easier way to get or trash any and all the data !

Hemant
At 01:29 PM 14-02-03 -0800, you wrote:

>I downloaded some of these interim patches. Fortunately for me,
>the software needed to apply the patch is not included in the
>distribution. The readme points to Oracle9i Data Server Interim Patch
>Installation (OPatch) Doc ID: 189489.1, which says:
>
> "An Interim Patch is tested by itself but no system regression testing
> is done until it is included in the next Patch Set. Because of this,
> it is highly recommended that all customers needing bug fixes wait for
> a Patch Set or product release that includes the fix."
>
>and
>
> "The fix in each Interim Patch is a separate and unique branch off the
> base code line and does not automatically include other fixes made
> since the last baseline. Oracle does this to minimize the risk that a
> patch will have unexpected side effects. Because of this it is
> possible that a particular Interim Patch could cancel out a previously
> installed Interim Patch."
>
>I find this approach to system security reprehensible.
>
>1. I count 6 outstanding security related patches since the last patchset,
> 9.2.0.2.
>
>2. I don't believe there will be a patchset beyond 8.1.7.4 and there
> are outstanding holes. That means I have to apply the one-off, untested
> patches to production services.
>
>3. There is no point in releasing the advisory if there is no action that they
> "suggest" you take.
>
>4. When do you know when you need to apply a interim security patch? Would
> that be before or after the system is hacked?
>
>Oracle Corp.: You take the blue pill and the story ends. You wake in
>your bed
>and you believe whatever you want to believe.
>
>Have a nice weekend.
>
>
>
>On Thu, Feb 13, 2003 at 02:11:48PM -0800, Ray Stell wrote:
> >
> > http://otn.oracle.com/deploy/security/alerts.htm
>===============================================================
>Ray Stell stellr_at_vt.edu (540) 231-4109 KE4TJC 28^D
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>--
>Author: Ray Stell
> INET: stellr_at_cns.vt.edu
>
>Fat City Network Services -- 858-538-5051 http://www.fatcity.com
>San Diego, California -- Mailing list and web hosting services
>---------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).

Hemant K Chitale
My web site page is : http://hkchital.tripod.com

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Hemant K Chitale
  INET: hkchital_at_singnet.com.sg

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).