Re: OT: Oracle Critical Patch Article
Date: Tue, 15 Jan 2008 13:08:20 -0600
Message-ID: <ad3aa4c90801151108s3ddd1c7cu31563dcf279c8a07@mail.gmail.com>
Sarbanes-Oxley doesnt apply to the UK either. Do you have a similar law?
On Jan 15, 2008 12:36 PM, Niall Litchfield <niall.litchfield_at_gmail.com> wrote:
> The article predates the CPU, and indeed the survey may well predate the
> last one.
>
> I asked a similar question to a room full of apps dbas at UKOUG - though
> to be fair I was talking about how to apply CPUs to EBS so it was a biased
> audience. There were probably 75-100 people in the room (53 responded to the
> questionnaire and you never get everyone). 1 person was up to date, at least
> 2/3rd had never applied a CPU. Other people tend to find similar results.
>
> On the "we are not exposed to the internet" front, that has some merit but
> then the vast majority of attacks are internal anyway.
>
> Niall
>
>
> On Jan 15, 2008 5:12 PM, Paul Drake < bdbafh_at_gmail.com> wrote:
>
> >
> >
> > On Jan 15, 2008 10:42 AM, Taylor, Chris David <
> > Chris.Taylor_at_ingrambarge.com> wrote:
> >
> > > How many of you guys have seen this?
> > >
> > >
> > >
> > >
> > > http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057226&source=NLT_PM&nlid=8
> > >
> > >
> > >
> > > What are your thoughts? I know our organization falls into that
> > > category but primarily because we aren't exposed to the outside world. We
> > > don't have external applications so most times I believe that critical patch
> > > updates can be applied during a normal maintenance period.
> > >
> > >
> > >
> > > *chris*
> > >
> > Chris,
> >
> > The press release is located here:
> > http://www.sentrigo.com/press_releases-newsid-39.htm
> >
> > and Pete Finnigan wrote about it here:
> > http://www.petefinnigan.com/weblog/archives/00001141.htm
> >
> > Clearly, the company providing the figures has a self interest in having
> > a market for its products and services (which is disclaimed at the bottom of
> > the press release page).
> >
> > "When asked: "Have you installed *the latest* Oracle CPU?" – Just 31
> > people, or ten percent of the 305 respondents, reported that they applied
> > the most recently issued Oracle CPU."
> >
> > I just downloaded "the latest" critical patch update this morning, as
> > that is when it was released. I plan to apply it in a testing environment
> > later this afternoon.
> > Perhaps semantics matter here just a bit.
> >
> > Only 35 people in the survey replied yes to one of the questions. That's
> > a fairly small sample, statistically speaking. If a dba only gathered
> > (estimated) stats with a sample size of 32 blocks out of a table with say
> > 32K blocks, I doubt that the stats would be very accurate.
> >
> > Would developers be inclined to apply critical patch updates to
> > development servers (where there is no formal dba position)? I would think
> > not.
> >
> > Are critical patch updates available for Oracle XE databases? No.
> >
> > Are some applications running on database versions or patchsets that do
> > not have critical patch updates made available? Yes. (8.1.7.4 and
> > 10.1.0.4 spring to mind.)
> >
> > Would a dba be concerned about remote vulnerabilities for databases that
> > support only connections from application servers that are secured? Probably
> > not.
> >
> > I'm skeptical that the results are representative and are useful for
> > anything other than stirring discussion (and marketing).
> >
> > Paul
> >
> >
> >
> >
>
>
> --
> Niall Litchfield
> Oracle DBA
> http://www.orawin.info
-- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.' -- http://www.freelists.org/webpage/oracle-lReceived on Tue Jan 15 2008 - 13:08:20 CST