Pete Finnigan's Oracle Security Weblog

Oracle have made some big updates to the alert #68 advisory. The update is dated 2nd of March. The advisory available from Oracles Critical Patch Updates and Security Alerts page. The advisory is titled "Oracle Security Update Alert #68, Rev 4, 2 March 2005". The main change made for this revision is that Oracle have now detailed out each vulnerability that has been fixed and each has been given an identifier number such as DB20, these numbers are similar to the more recent CPU Jan 2005 advisory. The numbers in alert #68 do not relate to the newer advisory. Oracle have also added a risk matrix for each vulnerability and identified each one with a number, the component - e.g. dictionary, extproc, the require access (protocol), authorisation needed, and then the risk broken down into confidentiality, integrity and availability. The matrix also includes the earliest supported release and also the last affected patch set.

There is also a second section called required conditions which details the conditions needed to exploit the issue. There is also a workarounds section but this only includes a fix for bug DB21.

There is a new matrix for the database and the Oracle application server where there are relevant bugs in each.


This level of information now matches that released in the recent first quarterly patch scheduled release CPU Jan 2005. This level of information for alert #68 is great and I guess will be well received. The pity is that this information was not available at the time of the initial release of the advisory. It would have been more useful then with more customers crying out for detailed information to assist in assessing whether to apply the patches for this advisory.

Well done to Oracle for backdating this information and releasing it. It does show that Oracle is listening to criticisms regarding bugs and fixes in the area of releasing more information to assist customers.