Return-Path: <root@fatcity.cts.com>
Received: from ensim.rackshack.net (root@localhost)
 by orafaq.net (8.11.6/8.11.6) with ESMTP id h1F5HPu19052
 for <oracle-l@orafaq.net>; Fri, 14 Feb 2003 23:17:25 -0600
X-ClientAddr: 209.68.248.164
Received: from newsfeed.cts.com (newsfeed.cts.com [209.68.248.164])
 by ensim.rackshack.net (8.11.6/8.11.6) with ESMTP id h1F5HPQ19047
 for <oracle-l@orafaq.net>; Fri, 14 Feb 2003 23:17:25 -0600
Received: from fatcity.UUCP (uucp@localhost)
 by newsfeed.cts.com (8.9.3/8.9.3) with UUCP id SAA34551;
 Fri, 14 Feb 2003 18:00:56 -0800 (PST)
Received: by fatcity.com (26-Feb-2001/v1.0g-b72/bab) via UUCP id 0054E64A; Fri, 14 Feb 2003 17:29:06 -0800
Message-ID: <F001.0054E64A.20030214172906@fatcity.com>
Date: Fri, 14 Feb 2003 17:29:06 -0800
To: Multiple recipients of list ORACLE-L <ORACLE-L@fatcity.com>
X-Comment: Oracle RDBMS Community Forum
X-Sender: Hemant K Chitale <hkchital@singnet.com.sg>
Sender: root@fatcity.com
Reply-To: ORACLE-L@fatcity.com
Errors-To: ML-ERRORS@fatcity.com
From: Hemant K Chitale <hkchital@singnet.com.sg>
Subject: Re: 02/11/2003 security alerts
Organization: Fat City Network Services, San Diego, California
X-ListServer: v1.0g, build 72; ListGuru (c) 1996-2001 Bruce A. Bergman
Precedence: bulk
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Content-Transfer-Encoding: 7bit


As a rule, I stay away from the "one-off" or "standalone" patches for
the RDBMS, unless I actually need the patch or it has been recommended
for something specific.  The so called security patches don't always
become necessary  -- ie, I haven't applied all the security patches.
Another grouse is that these patches are only being released on the
latest patchset, ie 8.1.7.4  Now I have a number of databases on 8.1.7.2
and 8.1.7.3 and I'd have to get downtime to first take them to 8.1.7.4 !

Moreover, with a "suite" Oracle Applications guessing the APPS password
would be a much easier way to get or trash any and all the data !

Hemant
At 01:29 PM 14-02-03 -0800, you wrote:

>I downloaded some of these interim patches. Fortunately for me,
>the software needed to apply the patch is not included in the
>distribution.  The readme points to Oracle9i Data Server Interim Patch
>Installation (OPatch) Doc ID: 189489.1, which says:
>
>  "An Interim Patch is tested by itself but no system regression testing
>  is done until it is included in the next Patch Set. Because of this,
>  it is highly recommended that all customers needing bug fixes wait for
>  a Patch Set or product release that includes the fix."
>
>and
>
>  "The fix in each Interim Patch is a separate and unique branch off the
>  base code line and does not automatically include other fixes made
>  since the last baseline.  Oracle does this to minimize the risk that a
>  patch will have unexpected side effects. Because of this it is
>  possible that a particular Interim Patch could cancel out a previously
>  installed Interim Patch."
>
>I find this approach to system security reprehensible.
>
>1. I count 6 outstanding security related patches since the last patchset,
>    9.2.0.2.
>
>2. I don't believe there will be a patchset beyond 8.1.7.4 and there
>    are outstanding holes.  That means I have to apply the one-off, untested
>    patches to production services.
>
>3. There is no point in releasing the advisory if there is no action that they
>    "suggest" you take.
>
>4. When do you know when you need to apply a interim security patch?  Would
>    that be before or after the system is hacked?
>
>Oracle Corp.:  You take the blue pill and the story ends.  You wake in 
>your bed
>and you believe whatever you want to believe.
>
>Have a nice weekend.
>
>
>
>On Thu, Feb 13, 2003 at 02:11:48PM -0800, Ray Stell wrote:
> >
> > http://otn.oracle.com/deploy/security/alerts.htm
>===============================================================
>Ray Stell   stellr@vt.edu     (540) 231-4109     KE4TJC    28^D
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>--
>Author: Ray Stell
>   INET: stellr@cns.vt.edu
>
>Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
>San Diego, California        -- Mailing list and web hosting services
>---------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from).  You may
>also send the HELP command for other information (like subscribing).

Hemant K Chitale
My web site page is :  http://hkchital.tripod.com


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Hemant K Chitale
  INET: hkchital@singnet.com.sg

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).