Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Mailing Lists -> Oracle-L -> Oracle security fixes are released between official cpu releases
Hi list,
my finding is: Oracle security fixes are released between official cpu releases
not a big surprise really but it makes it even harder to define a
database-vulnerability-protection policy that is supported by your
businesses. An easy cover-my-.ss approach is to publish alerts internally
saying that oracle has released a CPU (like 5948242 PATCH 4 WINDOWS 32 BIT
10.2.0.3 17-APR-2007 ) and that we HAVE TO apply this patch asap (after some
sanity testing of course).
Is my job done then ? I believe not. But telling my organization that more
security fixes will follow before the next cpu is released and they better
be applied too doesn't help in getting this patch policy embraced and
doesn't make my message popular amongst managers and DBA's who have to do
the work.
I tried the bunkerview on a 10203 database which had patch 7 (6038241) applied which is also labeled as cpu APRIL 2007 and it failed. So looks like it was already fixed before Cpu July 2007 came out. That makes me believe that Oracle releases security fixes in between cpu's. Below's the patch history on windows 32 it platform for 10.2.0.3 since cpu april 2007:
6116131 PATCH 8 WINDOWS 32 BIT 10.2.0.3 17-JUL-2007 (First Cpu July 2007) 6038241 PATCH 7 WINDOWS 32 BIT 10.2.0.3 05-JUL-2007 6012742 PATCH 6 WINDOWS 32 BIT 10.2.0.3 07-JUN-2007 5946186 PATCH 5 WINDOWS 32 BIT 10.2.0.3 19-MAY-2007 5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 (First Cpu April 2007)
Without doubt this won't be a lot different on other platforms.
SQL> show user
USER is "HEK"
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
HEK CREATE SESSION NO HEK CREATE VIEW NO
SQL> /
select x.name,x.password from sys.user$ x ..
*
These in between fixes are NOT picked up by grid control !
I am interested to hear stories from other Oracle customers.
regards,
Andre
--
http://www.freelists.org/webpage/oracle-l
Received on Wed Jul 25 2007 - 05:29:48 CDT
![]() |
![]() |