You always have some exposure internally to just people wanting see if they can
get to something and you never know when a hole will open exposure remotely.
As a DBA/SA the only thing you can do is to simply keep up with patching and
that includes moving off an older version of the OS. You are on Linux and
unless you are also behind in your version of the Oracle database then you
should be able to simply build a new server/VM and perform a standby flip to it
and keep moving forward instead of worrying about these security patches. If
you don’t like OL7 yet, then you can always go to OL6.
Most larger organizations who are under any type of major compliance rules
normally are looking at continuous remediation. I have always been one to not
only try and pick up the Oracle quarterly patches but also the OS equivalent
patches so we are always moving forward. The OS patches except for a few Oracle
products/features normally move upwards with very few if any problems on the
Oracle side.
Matthew Parker
Chief Technologist
Dimensional DBA
425-891-7934 (cell)
D&B 047931344
CAGE 7J5S7
Dimensional.dba@xxxxxxxxxxx
<http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's
profile on LinkedIn
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On ;
Behalf Of Rich J
Sent: Friday, January 29, 2016 6:58 AM
To: Oracle L
Subject: Security patching on older Oracle Linux
Hey all,
So, I'm reading about the new OpenSSL security issue at
http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/
and there are a few things I noted. First, it only affects v1.0.2. Good for
me. Second, support for 0.9.8 is done. Potentially bad for me. Third, the
yum repos for Oracle Linux 5 stop at 0.9.8. Seemingly worse for me.
My Oracle Linux box has very low exposure internally and no exposure
externally, but that doesn't mean future ones will be similarly walled off.
What's a DBA/SA to do? Migrating this box to a new OL7 one is frankly a huge
undertaking with near-zero return. (The Oracle DB on there is actually the
easiest to move!)
Thoughts?
Rich