Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: security alert - management up in arms

RE: security alert - management up in arms

From: Mercadante, Thomas F <>
Date: Fri, 3 Sep 2004 08:00:33 -0400
Message-ID: <543DF856D23431489D4B8028C300FBAB08AC941B@exchsen0a1mb>


You can always take the approach that if Oracle says it must be patched, and you have warned management that the patch should be applied and tested before it goes to production, then you have at least done your part to warn everyone of the risks involved.

I think for the most part that Oracle patches do not at least cause any harm - that at the very least there is *another* patch that should fix any new problmes that arise. We have entered a new world with these freekin Oracle security patches. We're being forced to apply patches even though we don't have any exposure to the problem.

For example, if you do not allow the scheduling of jobs within Oracle, you may not be exposed to the risk. And yet we are forced to patch the database.

Ah well. Just patch it and be done with it.

Tom Mercadante
Oracle Certified Professional

-----Original Message-----
From: [] Sent: Thursday, September 02, 2004 1:28 PM To:
Subject: RE: security alert - management up in arms


I had 3 managers ask me about this today. I am planning to put in dev = then prod but they want me to open emergency tickets and start doing = now!!!! All of our oracle databases are internal (inside of a = firewall). =20

My concern is having recently been burnt on Solaris 64-bit - = that this not be another exercise in Oracle regression testing.

I know that a security patch is much more focused and likely doesn't = have the same changes/impact as a patchset. However, what does everyone = do in terms of due diligence to ensure these security patches are not = going to
"break" Oracle functionality. It seems like it should be = reasonable to
put in dev/test - run for a little while then promote. = However, with we didn't come up with problems until we used = export/import and sql*loader.

Any thoughts on this?

"This e-mail is a critical technical alert which is being sent as a =
service to all MetaLink users!

The following Security Alert has been published on MetaLink by the = Oracle Security Compliance team:

August 31, 2004
Severity: 1=20

Alert #68: Oracle Security Update"

To unsubscribe - 
To read recent messages -
To unsubscribe - 
To read recent messages -
Received on Fri Sep 03 2004 - 06:56:15 CDT

Original text of this message