RE: Security patching on older Oracle Linux
Date: Fri, 29 Jan 2016 13:46:05 -0800
Message-ID: <01f001d15ade$755cca70$60165f50$_at_comcast.net>
You always have some exposure internally to just people wanting see if they can get to something and you never know when a hole will open exposure remotely.
As a DBA/SA the only thing you can do is to simply keep up with patching and that includes moving off an older version of the OS. You are on Linux and unless you are also behind in your version of the Oracle database then you should be able to simply build a new server/VM and perform a standby flip to it and keep moving forward instead of worrying about these security patches. If you don’t like OL7 yet, then you can always go to OL6.
Most larger organizations who are under any type of major compliance rules normally are looking at continuous remediation. I have always been one to not only try and pick up the Oracle quarterly patches but also the OS equivalent patches so we are always moving forward. The OS patches except for a few Oracle products/features normally move upwards with very few if any problems on the Oracle side.
Matthew Parker
Chief Technologist
Dimensional DBA
425-891-7934 (cell)
D&B 047931344
CAGE 7J5S7 Dimensional.dba_at_comcast.net
<http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's profile on LinkedIn
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Rich J
Sent: Friday, January 29, 2016 6:58 AM
To: Oracle L
Subject: Security patching on older Oracle Linux
Hey all,
So, I'm reading about the new OpenSSL security issue at http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/ and there are a few things I noted. First, it only affects v1.0.2. Good for me. Second, support for 0.9.8 is done. Potentially bad for me. Third, the yum repos for Oracle Linux 5 stop at 0.9.8. Seemingly worse for me.
My Oracle Linux box has very low exposure internally and no exposure externally, but that doesn't mean future ones will be similarly walled off. What's a DBA/SA to do? Migrating this box to a new OL7 one is frankly a huge undertaking with near-zero return. (The Oracle DB on there is actually the easiest to move!)
Thoughts?
Rich
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Jan 29 2016 - 22:46:05 CET