Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Oracle security fixes are released between official cpu releases

Oracle security fixes are released between official cpu releases

From: Andre van Winssen <dreveewee_at_gmail.com>
Date: Wed, 25 Jul 2007 12:29:48 +0200
Message-ID: <9b46ac490707250329v55c6024cs1064abb49461be33@mail.gmail.com> 





Hi list,



my finding is: Oracle security fixes are released between official cpu
releases



not a big surprise really but it makes it even harder to define a
database-vulnerability-protection policy that is supported by your
businesses.  An easy cover-my-.ss approach is to publish alerts internally
saying that oracle has released a CPU (like 5948242 PATCH 4 WINDOWS 32 BIT
10.2.0.3 17-APR-2007 ) and that we HAVE TO apply this patch asap (after some
sanity testing of course).


Is my job done then ? I believe not. But telling my organization that more
security fixes will follow before the next cpu is released and they better
be applied too doesn't help in getting this patch policy embraced and
doesn't make my message popular amongst managers and DBA's who have to do
the work.



I tried the bunkerview on a 10203 database which had patch 7 (6038241)
applied which is also labeled as cpu APRIL 2007 and it failed. So looks like
it was already fixed before Cpu July 2007 came out. That makes me believe
that Oracle releases security fixes in between cpu's.
Below's the patch history on windows 32 it platform for 10.2.0.3 since cpu
april 2007:


6116131 PATCH 8 WINDOWS 32 BIT 10.2.0.3 17-JUL-2007 (First Cpu July 2007)
6038241 PATCH 7 WINDOWS 32 BIT 10.2.0.3 05-JUL-2007
6012742 PATCH 6 WINDOWS 32 BIT 10.2.0.3 07-JUN-2007
5946186 PATCH 5 WINDOWS 32 BIT 10.2.0.3 19-MAY-2007
5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 (First Cpu April 2007)





Without doubt this won't be a lot different on other platforms.



SQL> show user


USER is "HEK"


SQL> select * from user_sys_privs;


USERNAME                       PRIVILEGE                                ADM


------------------------------ ---------------------------------------- ---

HEK                            CREATE SESSION                           NO
HEK                            CREATE VIEW                              NO





SQL> /



select x.name,x.password from sys.user$ x ..


                                  *




ERROR at line 2:


ORA-00942: table or view does not exist



These in between fixes are NOT picked up by grid control !



I am interested to hear stories from other Oracle customers.



regards,



Andre



--



http://www.freelists.org/webpage/oracle-l
Received on Wed Jul 25 2007 - 05:29:48 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US