The latest in the series of quarterly patch updates has been released. The advisory is titled "Oracle Critical Patch Update - January 2006" and is available from the Oracle security alerts page. As is now usual there are three categories of products affected. The first are the base product releases that are still covered by error correction support or extended error correction support. The second category are products and components bundled with the first category, the third category are products that are no longer supported as base installs but are bundled in some cases with products from category one.
A new addition with this advisory is that Oracle has provided a new tool to check default account passwords. This is available from Metalink only as patch 4926128. This is the tool announced recently to combat the potential threat of the voyager worm. Of course a much better, in terms of the number of default accounts checked, default password checker is available from this site.
The advisory also this time includes three fixes for client only installs. These are issues DBC02, DBC01 and JN01.
There are a number of new names for researchers credited in the credit section, this can only be taken as an indication that more and more people are becoming interested in Oracle security. This can only be a good thing in the long term.
There are 29 database related bugs fixed in this release. Quite a few relate to package procedures and commands in the database, so whilst the exploit is not obvious the package or command that is vulnerable is obvious.
There are then 3 client bugs, 3 HTTP server and 3 Oracle Workflow cartridge bugs.
There are then 17 Oracle application server related bugs listed, some of which are duplicate from the first section. There are then 20 Oracle Collabortaion server bugs again including 5 from previous sections. There are 27 Oracle Applications (E-Business Suite) bugs again including 8 listed in previous sections and finally there is one PeopleSoft bug and one JD Edwards bug fixed.
This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands.
As always apply the patches as soon as possible!
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Interview with Oracle's security chief"] [Next entry: "Imperva discovers a critical access control bypass in login bug"]
January 2006
- Niall has a good post - DBA as User - 01/05/2006 by 01/05/2006
- up front security - 01/06/2006 by 01/06/2006
- A tiny digital camera - 01/07/2006 by 01/07/2006
- Oracle 'Worm' Exploit Gets Ominous Tweak - 01/08/2006 by 01/08/2006
- Justin talks about a new series of papers on Oracle security by Arup - 01/09/2006 by 01/09/2006
- Howard has some good advice on protecting against worms - 01/10/2006 by 01/10/2006
- Doug has posted an intersting note about executing of SQL script from URL's - 01/12/2006 by 01/12/2006
- Oracle is finally listening to customers about fix times and security patch quality - 01/14/2006 by 01/14/2006
- Interview with Oracle's security chief - 01/16/2006 by 01/16/2006
- Red Database Security has released 5 Oracle security bug advisories - 01/17/2006 by 01/17/2006
- Alex has added advisories for 23 security bugs fixed in 10g Release1 - 01/19/2006 by 01/19/2006
- Alex has produced a detailed analysis of the Jan 2006 CPU - 01/22/2006 by 01/22/2006
- Duncan Harris speaks on Oracle Security - 01/24/2006 by 01/24/2006
- Oracle is advising customers to patch the last CPU very quickly - 01/25/2006 by 01/25/2006
- An argument rages in the ePress between Oracle and Litchfield - 01/27/2006 by 01/27/2006
- Gartner: Oracle no longer a bastion of security - 01/30/2006 by 01/30/2006
- How to connect to the database using Perl - with two way communication - 01/31/2006 by 01/31/2006
Archives
Syndication
Powered by gm-rss 2.0.0
