Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "CPU April 12 - 2005 is released"] [Next entry: " talks about the Oracle CPU April 12 patch release"]

Oracle ships patches seeded with message digest data

Alex emailed me to point me at a page on Metalink titled "Patches Downloaded from MetaLink will be Seeded with Message Digest Data: March 12, 2005".

This is an interesting change to Oracles patch distribution system as since March 12 all patches are seeded with digest data. This effectively means that patches cannot (or rather it would be much much harder) be altered or tampered with whilst being downloaded. Oracle does not supply tools to verify the digest, some OS's include such tools and there are many that can be downloaded.

This is a very interesting change to the patch release mechanism. Of course the question must be asked, has alteration of patches been a problem? Or is this a belt and braces job from Oracle. We should commend Oracle for including this type of integrity check for the patch release mechanism. This is a sign that Oracle does take security seriously on a few levels.