Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: security alert - management up in arms

RE: security alert - management up in arms

From: Mercadante, Thomas F <thomas.mercadante_at_labor.state.ny.us>
Date: Fri, 3 Sep 2004 08:00:33 -0400
Message-ID: <543DF856D23431489D4B8028C300FBAB08AC941B@exchsen0a1mb> 





Paula,



You can always take the approach that if Oracle says it must be patched, and
you have warned management that the patch should be applied and tested
before it goes to production, then you have at least done your part to warn
everyone of the risks involved.



I think for the most part that Oracle patches do not at least cause any harm
- that at the very least there is *another* patch that should fix any new
problmes that arise.  We have entered a new world with these freekin Oracle
security patches.  We're being forced to apply patches even though we don't
have any exposure to the problem.



For example, if you do not allow the scheduling of jobs within Oracle, you
may not be exposed to the risk.  And yet we are forced to patch the
database.



Ah well.  Just patch it and be done with it.



Tom Mercadante


Oracle Certified Professional




-----Original Message-----


From: Paula_Stankus_at_doh.state.fl.us [mailto:Paula_Stankus_at_doh.state.fl.us] 
Sent: Thursday, September 02, 2004 1:28 PM
To: oracle-l_at_freelists.org


Subject: RE: security alert - management up in arms




Guys,




I had 3 managers ask me about this today.  I am planning to put in dev =
then prod but they want me to open emergency tickets and start doing =
now!!!!  All of our oracle databases are internal (inside of a = firewall).
=20



My concern is having recently been burnt on 9.2.0.5 Solaris 64-bit - = that
this not be another exercise in Oracle regression testing.



I know that a security patch is much more focused and likely doesn't = have
the same changes/impact as a patchset.  However, what does everyone = do in
terms of due diligence to ensure these security patches are not = going to


"break" Oracle functionality.  It seems like it should be = reasonable to

put in dev/test - run for a little while then promote.  = However, with
9.2.0.5 we didn't come up with problems until we used = export/import and
sql*loader.



Any thoughts on this?



"This e-mail is a critical technical alert which is being sent as a =

service to all MetaLink users!



The following Security Alert has been published on MetaLink by the = Oracle
Security Compliance team:



August 31, 2004


Severity: 1=20



Alert #68: Oracle Security Update"





---
To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe 
To read recent messages - http://freelists.org/archives/oracle-l/09-2004
---
To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe 
To read recent messages - http://freelists.org/archives/oracle-l/09-2004


Received on Fri Sep 03 2004 - 06:56:15 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US