Re: security alert - management up in arms
- From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Fri, 3 Sep 2004 14:39:12 +0100
From the notes on security patches - It would seem that Oracle say Go
ahead - if it doesn't work call us!
22. The patch README file mentioned "You must have NO OTHER PATCHES
installed on your Oracle Server since the latest patch set (or base
release x.y.z if you have no patch sets installed)." What do I do if
I have applied any one-off patches?
We put in this warning as a standard practice with the readmes of
ALL interim (one-off) patches, because the application of any patch
can add risk to the processing environment. Interim patches are not
tested as extensively as patchsets. The customers need to know that
there is always a possibility of a file conflicts with a previous
patch that was applied since the last patchset.
However, the customer should still try to apply the patch with
opatch. If conflict reported and the conflict is not pointing to a
previous security alert, the customer should request a merge patch.
Otherwise, they can ignore the conflict report.
On Thu, 2 Sep 2004 15:22:42 -0400, paula_stankus@xxxxxxxxxxxxxxx
<paula_stankus@xxxxxxxxxxxxxxx> wrote:
> Now, I read the security patch and it says "You must have NO OTHER =
> PATCHES installed on your Oracle server since the last patch set". NOW =
> WHAT!@#@!#!@!#!@#!@
>
>
>
> -----Original Message-----
> From: Stankus, Paula G=20
> Sent: Thursday, September 02, 2004 1:28 PM
> To: 'oracle-l@xxxxxxxxxxxxx'
> Subject: RE: security alert - management up in arms
>
> Guys,
>
> I had 3 managers ask me about this today. I am planning to put in dev =
> then prod but they want me to open emergency tickets and start doing =
> now!!!! All of our oracle databases are internal (inside of a =
> firewall). =20
>
> My concern is having recently been burnt on 9.2.0.5 Solaris 64-bit - =
> that this not be another exercise in Oracle regression testing.
>
> I know that a security patch is much more focused and likely doesn't =
> have the same changes/impact as a patchset. However, what does everyone =
> do in terms of due diligence to ensure these security patches are not =
> going to "break" Oracle functionality. It seems like it should be =
> reasonable to put in dev/test - run for a little while then promote. =
> However, with 9.2.0.5 we didn't come up with problems until we used =
> export/import and sql*loader.
>
> Any thoughts on this?
>
> "This e-mail is a critical technical alert which is being sent as a =
> service to all MetaLink users!
>
> The following Security Alert has been published on MetaLink by the =
> Oracle Security Compliance team:
>
> August 31, 2004
> Severity: 1=20
>
> Alert #68: Oracle Security Update"
>
> ---
> To unsubscribe - mailto:oracle-l-request@xxxxxxxxxxxxx&subject=unsubscribe
> To read recent messages - //freelists.org/archives/oracle-l/09-2004
>
--
Niall Litchfield
Oracle DBA
http://www.niall.litchfield.dial.pipex.com
--
To unsubscribe - mailto:oracle-l-request@xxxxxxxxxxxxx&subject=unsubscribe
To search the archives - //www.freelists.org/archives/oracle-l/
Other related posts:
