Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Security Critical Patch Update October 18 is out"] [Next entry: "Some news about the CPU October 18 2005 Oracle security patch set"]

CPU October 18th a few comments

After reading through the CPU advisory again I can make a couple of comments. The first is that the descriptions for all the bugs except for the database section give nothing away whatsoever. The bugs with package or function / procedure names or privileges allow at least some view to be made on whether to patch or not based on whether you use those features. The rest of the issues have no information to make these judgements at all. The risk matrix indicates the level of risk but without a little more detail as to the components involved its difficult to make judgements. My other main comment is that there seem to be much more fixes this time compared at least to the last CPU, July 2005.

Alex has just passed a couple of comments to me on or chat session. His first comment is that they fixed two CSS bugs in the Workflow component that is also sometimes part of the database install. People should be made aware of this as the bugs are currently not listed on the database matrix.

His second comment was that the critical reports server bugs that are remotely exploitable and listed on Alex's site are still not fixed in this CPU. Alex says he reported these 798 days ago and now the next possible fix release date is Jan 2006 CPU which would mean they would be fixed in 889 days.

The good thing is that the patch seems to have covered a good range of bug fixes.