Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A new paper on Oracle database passwords"] [Next entry: "Mark Coleman talks about Oracle and SOX compliance"]

Alex has added days to fix to his Oracle security advisories

I just got an interesting email from Alex to say that he has added the number of days it took Oracle to fix each of the bugs he has Published Security Alertsfor.

The note at the top of the page state:

"Oracle is really slow in fixing security issues. For our security issues it takes 356 days until Oracle provided a fix for the reported issues. Many issues were fixed without informing their customers"

This figure of 356 days I think refers to either those advisories with no specific number of days to fix or it could be an average (Alex?)

The worse figure quoted by Alex is 656 days for the bug "Buffer Overflow in Create Database Link in Oracle8i - 9i". This is not really on!, why should it take almost 2 years to fix a bug in any software, especially a security bug.

Finally on Alex's "Upcoming Security Alerts" page there are no figures of days to fix, as they are not fixed yet but it does not need too much math skill to see that there are quite a few reported in 2003, the earliest July 2003.

Oracle has made great advances with their advisories content. I hope that they will improve on the number of days to fix security bugs as well.