Niall, Out of respect to NYOUG, I didn't bring that topic up with Charles E. Phillips, Jr. during the Q & A session after his keynote speech at the NYOUG seminar today. But I sure was tempted. It may be time for an iTAR on this one if a search of the Metalink forums doesn't yield any results. Paul On Tue, 21 Sep 2004 09:43:49 +0100, Niall Litchfield <niall.litchfield@xxxxxxxxx> wrote: > comments as ever > On Mon, 20 Sep 2004 16:10:39 -0400, Paul Drake <bdbafh@xxxxxxxxx> wrote: > > I'm really hoping that Oracle changes their position on this one ... > > but in case someone has already obtained more info on this issue > > already ... > > I'd also like more info, but if the client is affected - and I was > wondering how it wouldn't be for some of the vulnerabilities - then > just patching the server/app server seems to only be doing half a job. > > > What is your company's position on applying the patchsets covered by > > Oracle Security Alert #68 - to the Oracle Client Software already > > installed on desktops and application servers (not the Oracle Database > > server(s)). > > we'd do the app servers as a matter of course - 3000 remote laptops is > a somewhat different proposition. I haven't looked at doing that yet, > in the past we have used SMS I'm not sure whether we'd go that way > here. > > > > This is mentioned (in no detail) in the following doc: > > > > http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=282108.1 > > > > Item #21. > > > > 21. Is the Database Client install equally vulnerable? > > > > Yes, according to Development, all database clients on all > > versions have to be patched also. The same patch for the database > > server can be applied on the client installation also. > > > > thanks in advance for your opinions. > > Sounds like the persdon writing the patch note doesn't know what the > patch does.... > > > -- > Niall Litchfield > Oracle DBA > http://www.niall.litchfield.dial.pipex.com > -- //www.freelists.org/webpage/oracle-l