RE: OT: Oracle Critical Patch Article

• From: "Roberts, David \(GSD - UK\)" <david.h.roberts@xxxxxxxxxxxxx>
• To: <andrew.kerber@xxxxxxxxx>
• Date: Wed, 16 Jan 2008 10:50:08 -0000

According to the register, any company that has at least 300 US
shareholders is 'bound by the requirements of Sarbanes-Oxley':

 

http://www.theregister.co.uk/2005/01/11/europeans_slam_sarbox/

 

David Roberts
 

LogicaCMG UK Limited
Registered in England and Wales (registered number 947968)
Registered office: Stephenson House, 75 Hampstead Road, London NW1 2PL,
United Kingdom

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Kerber
Sent: 15 January 2008 19:08
To: niall.litchfield@xxxxxxxxx
Cc: bdbafh@xxxxxxxxx; Chris.Taylor@xxxxxxxxxxxxxxx; oracle-l
Subject: Re: OT: Oracle Critical Patch Article

 

Sarbanes-Oxley doesnt apply to the UK either.  Do you have a similar
law?

On Jan 15, 2008 12:36 PM, Niall Litchfield <niall.litchfield@xxxxxxxxx >
wrote:

The article predates the CPU, and indeed the survey may well predate the
last one. 

I asked a similar question to a room full of apps dbas at UKOUG - though
to be fair I was talking about how to apply CPUs to EBS so it was a
biased audience. There were probably 75-100 people in the room (53
responded to the questionnaire and you never get everyone). 1 person was
up to date, at least 2/3rd had never applied a CPU. Other people tend to
find similar results. 

On the "we are not exposed to the internet" front, that has some merit
but then the vast majority of attacks are internal anyway. 

Niall

 

On Jan 15, 2008 5:12 PM, Paul Drake < bdbafh@xxxxxxxxx> wrote:

 

On Jan 15, 2008 10:42 AM, Taylor, Chris David
<Chris.Taylor@xxxxxxxxxxxxxxx> wrote:

How many of you guys have seen this?

 

http://www.computerworld.com/action/article.do?command=viewArticleBasic
<http://www.computerworld.com/action/article.do?command=viewArticleBasic
&articleId=9057226&source=NLT_PM&nlid=8>
&articleId=9057226&source=NLT_PM&nlid=8

 

What are your thoughts?  I know our organization falls into that
category but primarily because we aren't exposed to the outside world.
We don't have external applications so most times I believe that
critical patch updates can be applied during a normal maintenance
period.  

 

chris

Chris,

The press release is located here:
http://www.sentrigo.com/press_releases-newsid-39.htm

and Pete Finnigan wrote about it here: 
http://www.petefinnigan.com/weblog/archives/00001141.htm

Clearly, the company providing the figures has a self interest in having
a market for its products and services (which is disclaimed at the
bottom of the press release page). 

"When asked: "Have you installed the latest Oracle CPU?" - Just 31
people, or ten percent of the 305 respondents, reported that they
applied the most recently issued Oracle CPU."

I just downloaded "the latest" critical patch update this morning, as
that is when it was released. I plan to apply it in a testing
environment later this afternoon. 
Perhaps semantics matter here just a bit.

Only 35 people in the survey replied yes to one of the questions. That's
a fairly small sample, statistically speaking. If a dba only gathered
(estimated) stats with a sample size of 32 blocks out of a table with
say 32K blocks, I doubt that the stats would be very accurate. 

Would developers be inclined to apply critical patch updates to
development servers (where there is no formal dba position)? I would
think not.

Are critical patch updates available for Oracle XE databases? No. 

Are some applications running on database versions or patchsets that do
not have critical patch updates made available? Yes. (8.1.7.4 and
10.1.0.4 spring to mind.) 

Would a dba be concerned about remote vulnerabilities for databases that
support only connections from application servers that are secured?
Probably not.

I'm skeptical that the results are representative and are useful for
anything other than stirring discussion (and marketing). 

Paul








-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info 




-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.' 

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

• References:
  • Re: OT: Oracle Critical Patch Article
    • From: Andrew Kerber

Other related posts:

• » OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » RE: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article
• » RE: OT: Oracle Critical Patch Article
• » RE: OT: Oracle Critical Patch Article
• » RE: OT: Oracle Critical Patch Article
• » RE: OT: Oracle Critical Patch Article
• » Re: OT: Oracle Critical Patch Article

1. Home
2. oracle-l
3. Archive
4. 01-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---