Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "David Litchfield sets the record straight"] [Next entry: "Oracle's correction to the April CPU patch email has been posted to Bugtraq"]

Oracle Confirms Holes in Two Latest Patch Sets

Lisa Vaas has released a news article this evening (22 July 2005) titled "Oracle Confirms Holes in Two Latest Patch Sets" that details the ongoing problems Oracle seem to be having with their latest two patch sets. Basically Oracle released April's Critical Patch Update (CPU) fixing 70 bugs and then in early July Oracle sent out two emails detailing problems with the patch. Oracle has now sent out a new email detailing why the fixes for the April patch have still not worked. Also the July CPU has its own problems. Oracle re-issued the patches only a few days after the original release. A researcher Cesar Cerrudo has also identified a problem with the July patch and also there are performance issues related to the July patch reported on Metalink.

The news report goes on to discuss the problems with the patches and also the state of Oracles patching process. Lisa also quotes Alex and myself about the issue of whether these emails are phishing attempts. There is also a discussion about the fact that Oracle has not disclosed these latest flaws in their patches on OTN or Metalink. This article is worth looking at.