Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: security alert - management up in arms

Re: security alert - management up in arms

From: Niall Litchfield <>
Date: Fri, 3 Sep 2004 14:39:12 +0100
Message-ID: <>

>From the notes on security patches - It would seem that Oracle say Go
ahead - if it doesn't work call us!

22. The patch README file mentioned "You must have NO OTHER PATCHES installed on your Oracle Server since the latest patch set (or base release x.y.z if you have no patch sets installed)." What do I do if I have applied any one-off patches?

    We put in this warning as a standard practice with the readmes of ALL interim (one-off) patches, because the application of any patch can add risk to the processing environment. Interim patches are not tested as extensively as patchsets. The customers need to know that there is always a possibility of a file conflicts with a previous patch that was applied since the last patchset.

    However, the customer should still try to apply the patch with opatch. If conflict reported and the conflict is not pointing to a previous security alert, the customer should request a merge patch. Otherwise, they can ignore the conflict report.

On Thu, 2 Sep 2004 15:22:42 -0400, <> wrote:
> Now, I read the security patch and it says "You must have NO OTHER =
> PATCHES installed on your Oracle server since the last patch set". NOW =
> WHAT!@#@!#!@!#!@#!@
> -----Original Message-----
> From: Stankus, Paula G=20
> Sent: Thursday, September 02, 2004 1:28 PM
> To: ''
> Subject: RE: security alert - management up in arms
> Guys,
> I had 3 managers ask me about this today. I am planning to put in dev =
> then prod but they want me to open emergency tickets and start doing =
> now!!!! All of our oracle databases are internal (inside of a =
> firewall). =20
> My concern is having recently been burnt on Solaris 64-bit - =
> that this not be another exercise in Oracle regression testing.
> I know that a security patch is much more focused and likely doesn't =
> have the same changes/impact as a patchset. However, what does everyone =
> do in terms of due diligence to ensure these security patches are not =
> going to "break" Oracle functionality. It seems like it should be =
> reasonable to put in dev/test - run for a little while then promote. =
> However, with we didn't come up with problems until we used =
> export/import and sql*loader.
> Any thoughts on this?
> "This e-mail is a critical technical alert which is being sent as a =
> service to all MetaLink users!
> The following Security Alert has been published on MetaLink by the =
> Oracle Security Compliance team:
> August 31, 2004
> Severity: 1=20
> Alert #68: Oracle Security Update"
> ---
> To unsubscribe -
> To read recent messages -

Niall Litchfield
Oracle DBA
To unsubscribe - 
To search the archives -
Received on Fri Sep 03 2004 - 08:34:54 CDT

Original text of this message