After reading through the CPU advisory again I can make a couple of comments. The first is that the descriptions for all the bugs except for the database section give nothing away whatsoever. The bugs with package or function / procedure names or privileges allow at least some view to be made on whether to patch or not based on whether you use those features. The rest of the issues have no information to make these judgements at all. The risk matrix indicates the level of risk but without a little more detail as to the components involved its difficult to make judgements. My other main comment is that there seem to be much more fixes this time compared at least to the last CPU, July 2005.
Alex has just passed a couple of comments to me on or chat session. His first comment is that they fixed two CSS bugs in the Workflow component that is also sometimes part of the database install. People should be made aware of this as the bugs are currently not listed on the database matrix.
His second comment was that the critical reports server bugs that are remotely exploitable and listed on Alex's site are still not fixed in this CPU. Alex says he reported these 798 days ago and now the next possible fix release date is Jan 2006 CPU which would mean they would be fixed in 889 days.
The good thing is that the patch seems to have covered a good range of bug fixes.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Security Critical Patch Update October 18 is out"] [Next entry: "Some news about the CPU October 18 2005 Oracle security patch set"]
October 2005
- The Six Dumbest Ideas in Computer Security - 10/01/2005 by 10/01/2005
- Good thread on Oracle brute force password cracking and OUG Scotland - 10/03/2005 by 10/03/2005
- OUG Scotland - 10/05/2005 by 10/05/2005
- Link to David Litchfields original post - 10/06/2005 by 10/06/2005
- Slight correction to the HTMLDB advisories - 10/07/2005 by 10/07/2005
- Some more posts on bugtraq about David Litchfields open letter to Oracle - 10/08/2005 by 10/08/2005
- WebGoat an application to learn how to hack! - 10/10/2005 by 10/10/2005
- Security, SOX and Oracle Incentive Compensation - 10/11/2005 by 10/11/2005
- The Age talks about David Litchfields open letter to Oracle - 10/12/2005 by 10/12/2005
- Prevention and detection better than cure - 10/13/2005 by 10/13/2005
- How to encrypt/decrypt strings with the dbms_obfuscation_toolkit package - 10/14/2005 by 10/14/2005
- comments and how to re-enable them on this blog - 10/16/2005 by 10/16/2005
- CPU October 18th a few comments - 10/18/2005 by 10/18/2005
- Women who know Oracle and security - 10/19/2005 by 10/19/2005
- Easy connect identifier - 10/20/2005 by 10/20/2005
- Researcher: Oracle Patch Set Flawed Again - 10/21/2005 by 10/21/2005
- Exploit circulating for newly patched Oracle bug - It can crash an unpatched database server - 10/22/2005 by 10/22/2005
- Some fight back on Oracle security bugs - old news article - 10/26/2005 by 10/26/2005
- Josh has released a paper about the Oracle password algorithm - 10/27/2005 by 10/27/2005
- Some news stories about the josh oracle password paper - 10/29/2005 by 10/29/2005
- UKOUG tomorrow - 10/30/2005 by 10/30/2005
Archives
Syndication
Powered by gm-rss 2.0.0
