Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Tim Gorman has updated his excellent script"] [Next entry: "Mark has a post about Oracle's talks to buy Siebel"]

There is a security problem with Critical Patch Update April 2005 and alert #65

I just got an email from Alex to let me know he had received an email from Oracle about a security problem with the latest scheduled patch set CPU April 2005 for the database server for versions and This looks like a standard email to all Oracle customers. I have not received one yet but i guess that I will as I am also an Oracle customer.

The email states that the CPU April 2005 patch set for and for the database server has been reported that causes the fixes for alert #65 to be incomplete.

The email goes on to say that if customers have already applied the patch for alert #65 first then no action is required, if not alert #65 needs to be applied. It can be applied either before or after CPU April 2005 (Don't you wish for a better naming convention?). If alert #65 is already applied then there will be a conflict shown.

So why is this? - I guess it is because CPU April 2005 is supposed to be a cumulative patch for all previous fixes so it looks like CPU April 2005 did not include some of the alert #65 fixes.

If you have applied CPU April 2005 and not alert #65 then you will be vulnerable so take notice of these details.

Critical Patch Update - April 2005 has not been updated since April 13 so does not yet reflect this information. Also Alert 65, Security Vulnerability in Oracle9i Application and Database Servers has not been updated yet either.