Pete Finnigan's Oracle Security Weblog

I have been following alert #68 comments and news on various forums and mailing lists that I am subscribed to for a few weeks now. I found some interesting comments on ORACLE-L over at freelists.org. In a thread called "Security Alert #68 - Have to upgrade versions prior to 9.2.0.4" where the poster asked for a sanity check on his plan to upgrade to 9.2.0.3 as he felt that this version does not need patching. This is not the case. Oracle recommends that you upgrade to a supported version in this case such as 9.2.0.4 or 9.2.0.5 and then apply patch 68.

A couple of interesting comments were posted to this thread, the first from Tom Mercadante who said

"Here's the best part. Oracle now has *two ways* of sending patches out to
us. One is the current (old) way where you run oracle installer. The other
(new) way is where you run Opatch. And even within Opatch, they do things
two different ways. Security Patch 68 has you run sqlplus and install new
packages, and then run patch.csh - which runs sqlplus and installs stuff."

and

"Seems like the bad old days are
reappearing - where the divisions are not talking to each other anymore, and
they release stuff that is not ready for prime time"

The second interesting comment was from Paul Drake who said

"use opatch 1.0.0.0.51, not 1.0.0.0.50.
I find myself checking the notes on Metalink on a daily basis for this one.

if you're running on win32 - the files under the "docs" folders are invaluable."

Good advice seems to be to review the Alert 68 FAQ regularly if you have still not applied the patches or are still in the process of doing so.