I have just noticed that Oracle have released their advisory for the first quarterly security patch update. This is the first of the scheduled patches announced last year and talked about here and on news sites around the world.
Oracle's advisory titled "Critical patch update - January 2005" is also a change from the previous naming convention with alert 68 being the last of the original naming convention.
The advisory is a comprehensive document and contains much better information than previous advisories from Oracle. The patch also contains all the fixes included in alert #68. It also contains some non security fixes that are necessary because of interdependencies.
The key addition in this advisory over previous advisories is the new risk matrix that details each bug to some degree and also the risk. Each bug is numbered and the component identified such as Database core, networking, package name etc. Then the access required is listed. Then the privileges necessary for the bug to be exploited, then the risk matrix for confidentiality, integrity and availability. Finally earliest and latest versions are listed as well as whether a workaround is possible.
This is excellent, well done to Mary Ann Davidson and her team for doing this and improving the information available with the security advisory as compared to previous advisories. I hope that in particular the risk matrix will really help customers make decisions about applying the patches quickly and confidently. Also well done for supporting some of the older releases where it’s relevant. Excellent!
I also see that there are patches for older versions and even de-supported versions which are supported for particular products only. Again a big move forwards.
Links for each patch set are included in the alert. The alert also credits the researchers who have brought bugs to the attention of Oracle. This included Pete Finnigan (me), Alex Kornbrust, Stephen Kost and David Litchfield.
I will release an advisory later this evening now that Oracles advisory is out.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "The first Oracle security alert for Jan 18th - First quarterly scheduled security patch"] [Next entry: "Security alert released by Pete Finnigan"]
January 2005
- Oracle security and content management - 01/01/2005 by 01/01/2005
- Some updates to the Oracle default password list - 01/02/2005 by 01/02/2005
- Nice article on SQL Injection - 01/03/2005 by 01/03/2005
- Frank has a review of Bruce Schneier book "Beyond Fear" - 01/04/2005 by 01/04/2005
- We have moved - 01/05/2005 by 01/05/2005
- Schema difference tool - 01/07/2005 by 01/07/2005
- CREATE SCHEMA - does it do what it says on the tin? - 01/08/2005 by 01/08/2005
- Becoming another user - 01/09/2005 by 01/09/2005
- A nice simple DBMS_OBFUSCATION_TOOLKIT example by Nimzo Benoni - 01/10/2005 by 01/10/2005
- Howard Rogers has a good article about database links - 01/11/2005 by 01/11/2005
- Amis blog has an entry all about OpenVPN - 01/12/2005 by 01/12/2005
- Sarbanes Oxley and Oracle - 01/13/2005 by 01/13/2005
- Adam Martins Oracle password cracker seems to not be available - 01/14/2005 by 01/14/2005
- Great tool for security checking a PC - 01/15/2005 by 01/15/2005
- Penetration testing research and cost effective security - 01/16/2005 by 01/16/2005
- HTML Kit - 01/17/2005 by 01/17/2005
- Security alert released by Pete Finnigan - 01/18/2005 by 01/18/2005
- Alexander Kornbrust has an advisory for CPU - January 2005 - 01/19/2005 by 01/19/2005
- Search Oracle talks about the Critical Patch Update - 01/20/2005 by 01/20/2005
- Translation of www.Heise.de German news article - 01/21/2005 by 01/21/2005
- oops missed off the link - 01/22/2005 by 01/22/2005
- Steve Kost has released an Integrigy advisory for CPU - January 2005 - 01/23/2005 by 01/23/2005
- Tom talks about proxy users - 01/24/2005 by 01/24/2005
- Updated internals and Oracle applications security page - 01/25/2005 by 01/25/2005
- default passwords and Oracle default passwords - 01/26/2005 by 01/26/2005
- Frank has a great blog entry about web application security - 01/27/2005 by 01/27/2005
- Interesting thread on Oracle-l about ftp'ing data into the database - 01/28/2005 by 01/28/2005
- Some interesting comments about CPU - Jan 2005 on c.d.o.s - 01/29/2005 by 01/29/2005
- Andrej Koelewijn talks about google stopping comment spam - 01/30/2005 by 01/30/2005
- Happy birthday to orablogs.com - 01/31/2005 by 01/31/2005
Archives
Syndication
Powered by gm-rss 2.0.0
