Re: Where are the XE security patches?

hpuxrac wrote:
> DA Morgan wrote:
> > DA Morgan wrote:
> > > hpuxrac wrote:
> > >> Pete Finnigan has got a very good point in his security blog
> > >> http://www.petefinnigan.com/weblog/entries/
> > >>
> > >> Perhaps it is disingenous of oracle to provide a free version of oracle
> > >> if there are not timely efforts to keep it patched and secured.
> > >
> > > Good point though I wouldn't have used the same words. I am checking on
> > > this and will report what I hear.
> >
> > I received one answer:
> >
> > The release of XE was delayed for four months so that Oracle could apply
> > and test a substantial number of security patches. If used per the docs
> > my source was unaware of any issues.
> >
> > The operative phrase here is "used per the docs" and not used for some
> > other purpose. Seems reasonable.
>
> If Pete Finnigan is hinting that there are unresolved security patches
> that currently haven't been applied against XE ... and oracle isn't
> committed to dates when it will be updated and patches ... that's
> "reasonable?".
>
> "My source was unaware of any issues?"
>
> Yikes.
>
> It don't take a weatherman to know which way the wind is blowing here.

A quick look at the "used per the docs" notes the following ...

Oracle Database XE is a great starter database for:

Developers working on PHP, Java, .NET, XML, and Open Source applications
DBAs who need a free, starter database for training and deployment Independent Software Vendors (ISVs) and hardware vendors who want a starter database to distribute free of charge Educational institutions and students who need a free database for their curriculum

So oracle has noted that ISV's and hardware vendors should feel free to pick XE to distribute free of charge but caveat emptor on security vulnerabilities?

At least we are not aware of any universities that have been hacked lately right? Received on Wed Dec 13 2006 - 12:34:51 CST