Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: oracle security patch

Re: oracle security patch

From: Robert A.M. van Lopik <lopik_at_mail.telepac.pt>
Date: Wed, 8 Sep 2004 09:04:17 +0100
Message-ID: <2q7so2Fr99r7U1@uni-berlin.de> 






"yls177" <yls177_at_hotmail.com> wrote in message 
news:c06e4d68.0409071824.88dfa22_at_posting.google.com...

> bdbafh_at_gmail.com (Paul Drake) wrote in message 
> news:<910046b4.0409070825.4138263d_at_posting.google.com>...




>> yls177_at_hotmail.com (yls177) wrote in message 

>> news:<c06e4d68.0409070030.ebc3f7d_at_posting.google.com>...

>> > hi, our security guy requests me for this

>> > http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf

>> > i took a look and find that my oracle product is not in the list of

>> > supported products affected. My current version is oracle 8i 8.1.7.2

>> > and the nearest it could affect is 8.1.7.4

>> >

>> > any comments?

>>

>> 0. include the relevant operating system info.

>>

>> 1. thoroughly test your backup/restore/recovery configuration.

>> 2. roll up your sleeves and test the 8.1.7.4.16 patchset (win32)

>> (after applying 8.1.7.4.1) in your test environment.

>> 3. apply to production during a scheduled maintenance window.

>> 4. seriously consider moving to 9.2.0.5 (with the patches issued for

>> alert #68 applied) soon.

>>

>> -bdbafh


>
>
>
> okay, my operating system is hpux 11.0 and my oracle version is posted as 
> above.





You should read the alert more carefully. It says 8.7.4 is vulnerable. It 
also says that unsupported versions have not been tested. That includes the 
version 8.1.7.2 you are running! Because the vulnerabilities are quite 
numerous they probably also sit in older parts of the code, so I would bet 
8.1.7.2 is just as vulnerable as 8.1.7.4. Unfortunately you cannot test 
that, because the info Oracle gives on the nature of these vulnerabilities 
is rather vague. And you can't patch, because Oracle doesn't sulpply patches 
for unsupported versions.



So your best bet is, like Paul says, first upgrade to a supported versions 
and then patch.



hth


rob van lopik 
Received on Wed Sep 08 2004 - 03:04:17 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US