Re: PeteFinnigan.com - Oracle security advisory

Hi Mark,

The patch sets don't just fix the bug i found, they also fix those found by Alex, Dave Litchfield and Steve Kost and presumably some bugs found internally in Oracle.

Oracles advisory is the best I have seen so far from them in terms of information given. They also include a risk matrix for each individual bug fixed so you can decide whether to patch or not.

As the other poster in this thread suggested it is not a good idea to give much more information than I did otherwise people could work out how to exploit the problem on un-patched systems.

kind regards

Pete

In article <1106099242.135824.97710_at_z14g2000cwz.googlegroups.com>, Mark D Powell <Mark.Powell_at_eds.com> writes
>What good is a security alert that a specific feature has a potential
>security hole if the problem is not explained in enough detail that you
>can determine the realistic associated risk level? Applying a patch
>set is a very expensive proposition. Before we can apply a patch set
>to production we have to install it in a new directory structure in
>test, test hundreds of online and batch progrrams, and then get the
>necessary window for production. I can not justify the cost with the
>limited information being given.
>
>-- Mark D Powell --
>

-- 
Pete Finnigan (email:pete_at_petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.