RE: security alert - management up in arms
- From: "Mercadante, Thomas F" <thomas.mercadante@xxxxxxxxxxxxxxxxx>
- To: "'oracle-l@xxxxxxxxxxxxx'" <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 3 Sep 2004 08:00:33 -0400
Paula,
You can always take the approach that if Oracle says it must be patched, and
you have warned management that the patch should be applied and tested
before it goes to production, then you have at least done your part to warn
everyone of the risks involved.
I think for the most part that Oracle patches do not at least cause any harm
- that at the very least there is *another* patch that should fix any new
problmes that arise. We have entered a new world with these freekin Oracle
security patches. We're being forced to apply patches even though we don't
have any exposure to the problem.
For example, if you do not allow the scheduling of jobs within Oracle, you
may not be exposed to the risk. And yet we are forced to patch the
database.
Ah well. Just patch it and be done with it.
Tom Mercadante
Oracle Certified Professional
-----Original Message-----
From: Paula_Stankus@xxxxxxxxxxxxxxx [mailto:Paula_Stankus@xxxxxxxxxxxxxxx]
Sent: Thursday, September 02, 2004 1:28 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: security alert - management up in arms
Guys,
I had 3 managers ask me about this today. I am planning to put in dev =
then prod but they want me to open emergency tickets and start doing =
now!!!! All of our oracle databases are internal (inside of a = firewall).
=20
My concern is having recently been burnt on 9.2.0.5 Solaris 64-bit - = that
this not be another exercise in Oracle regression testing.
I know that a security patch is much more focused and likely doesn't = have
the same changes/impact as a patchset. However, what does everyone = do in
terms of due diligence to ensure these security patches are not = going to
"break" Oracle functionality. It seems like it should be = reasonable to
put in dev/test - run for a little while then promote. = However, with
9.2.0.5 we didn't come up with problems until we used = export/import and
sql*loader.
Any thoughts on this?
"This e-mail is a critical technical alert which is being sent as a =
service to all MetaLink users!
The following Security Alert has been published on MetaLink by the = Oracle
Security Compliance team:
August 31, 2004
Severity: 1=20
Alert #68: Oracle Security Update"
---
To unsubscribe - mailto:oracle-l-request@xxxxxxxxxxxxx&subject=unsubscribe
To read recent messages - //freelists.org/archives/oracle-l/09-2004
---
To unsubscribe - mailto:oracle-l-request@xxxxxxxxxxxxx&subject=unsubscribe
To read recent messages - //freelists.org/archives/oracle-l/09-2004
Other related posts:
