Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Can application names be changed to spoof logon triggers?"] [Next entry: "Nice four part paper on label security by Jim Czuprynski"]

The patch set is out

I just noticed today that the path set is out for Win32 but doesn't seem to be out for other platforms yet. There is a note on metalink that describes the known issues fixed in - Note 189908.1 lists the 9.2.0.x patch sets and also links to two further notes. The first of which is 283899.1 which is for known issues and alerts affecting The second is 283897.1 which is the list of fixes in

The only security specific mention in the first document is about a HTTP server patch for which is part of alert #68.

The second document lists hundreds of bug fixes but specifically lists alert 68 in the general section (no details). It is also listed again in the security and denial of service section, in advanced / secure network section there is a bug mentioned (3889519) that say’s there are errors with data transfer with SSL when security patch 68 is installed. There is also a bug about importing a wrapped password verification function. There are nine bugs fixed in Oracle label security. There are 6 specific errors fixed in the row level security functionality.

It is important to apply new patch sets as they quite often fix "silent" security bugs. These are security bugs that are not part of a security alert. This could be because these security issues are not reported as such by the finder of the problem.