As a rule, I stay away from the "one-off" or "standalone" patches for the RDBMS, unless I actually need the patch or it has been recommended for something specific. The so called security patches don't always become necessary -- ie, I haven't applied all the security patches. Another grouse is that these patches are only being released on the latest patchset, ie 8.1.7.4 Now I have a number of databases on 8.1.7.2 and 8.1.7.3 and I'd have to get downtime to first take them to 8.1.7.4 !
Moreover, with a "suite" Oracle Applications guessing the APPS password would be a much easier way to get or trash any and all the data ! Hemant At 01:29 PM 14-02-03 -0800, you wrote:
I downloaded some of these interim patches. Fortunately for me,
the software needed to apply the patch is not included in the
distribution. The readme points to Oracle9i Data Server Interim Patch
Installation (OPatch) Doc ID: 189489.1, which says:
"An Interim Patch is tested by itself but no system regression testing
is done until it is included in the next Patch Set. Because of this,
it is highly recommended that all customers needing bug fixes wait for
a Patch Set or product release that includes the fix."
and
"The fix in each Interim Patch is a separate and unique branch off the
base code line and does not automatically include other fixes made
since the last baseline. Oracle does this to minimize the risk that a
patch will have unexpected side effects. Because of this it is
possible that a particular Interim Patch could cancel out a previously
installed Interim Patch."
I find this approach to system security reprehensible.
1. I count 6 outstanding security related patches since the last patchset,
9.2.0.2.
2. I don't believe there will be a patchset beyond 8.1.7.4 and there
are outstanding holes. That means I have to apply the one-off, untested
patches to production services.
3. There is no point in releasing the advisory if there is no action that they
"suggest" you take.
4. When do you know when you need to apply a interim security patch? Would
that be before or after the system is hacked?
Oracle Corp.: You take the blue pill and the story ends. You wake in your bed
and you believe whatever you want to believe.
Have a nice weekend.
On Thu, Feb 13, 2003 at 02:11:48PM -0800, Ray Stell wrote:
>
> http://otn.oracle.com/deploy/security/alerts.htm
===============================================================
Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC 28^D
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Ray Stell
INET: [EMAIL PROTECTED]
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Hemant K Chitale My web site page is : http://hkchital.tripod.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Hemant K Chitale INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
