comments as ever On Mon, 20 Sep 2004 16:10:39 -0400, Paul Drake <bdbafh@xxxxxxxxx> wrote: > I'm really hoping that Oracle changes their position on this one ... > but in case someone has already obtained more info on this issue > already ... I'd also like more info, but if the client is affected - and I was wondering how it wouldn't be for some of the vulnerabilities - then just patching the server/app server seems to only be doing half a job. > What is your company's position on applying the patchsets covered by > Oracle Security Alert #68 - to the Oracle Client Software already > installed on desktops and application servers (not the Oracle Database > server(s)). we'd do the app servers as a matter of course - 3000 remote laptops is a somewhat different proposition. I haven't looked at doing that yet, in the past we have used SMS I'm not sure whether we'd go that way here. > This is mentioned (in no detail) in the following doc: > > http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=282108.1 > > Item #21. > > 21. Is the Database Client install equally vulnerable? > > Yes, according to Development, all database clients on all > versions have to be patched also. The same patch for the database > server can be applied on the client installation also. > > thanks in advance for your opinions. Sounds like the persdon writing the patch note doesn't know what the patch does.... -- Niall Litchfield Oracle DBA http://www.niall.litchfield.dial.pipex.com -- //www.freelists.org/webpage/oracle-l