customers are starting to wonder if they are going to see a security
patch from the company this month.
The Redwood Shores, Calif.-based software giant is nearly a month
delinquent on its promise of a more regular cycle for issuing security
upgrades and fixes for viruses. Now several organizations say they are
frustrated not only with the patch but with the frequency of the patch
Two months ago, Oracle adopted
a monthly cycle of addressing security upgrades and fixes instead of dealing with
them on a quarterly or yearly basis. The
were to include notification to Oracle’s customers and subscribers
followed by instructions and links to FTP sites.
Company spokesperson Rebecca Hahn said the company is still very much
committed to protecting its customers but offered no explanation for the
“Our customers, partners and developers all get the same alerts at
the same time,” Hahn told internetnews.com
She also reiterated
that the company will continue its policy of issuing individual alerts
for the most egregious security breaches.
The last scheduled communication was Alert #68, Rev 2,
which was issued back in August and updated
last month. The patch asks customers to protect themselves from
malicious code the company said could be used to exploit legacy Oracle products.
Almost immediately, according to several posts on FreeLists.org, problems emerged with the “opatch”
FreeLists poster Larry Wolfson is one of those whose contractors
working on an account with HP
attempted to install a
number of patches with some difficulty.
“The problem with this attempt looks to be that all of the inventory
directory isn’t there. However are you sure this is patch68 ??? as all
the patch 68’s I’ve installed on8174 (HP & Solaris) haven’t used opatch.
Instead you’ve just had to run patchserver.sh rather than opatch. In
fact this is indicated by opatch looking for ContentsXML which only
appears under 9i and not an 8i install,” the submission read.
Ruth Gramolini reported a similar problem in that she
didn’t have an oraInventory directory.
“Look in your oraInst.loc file (on AIX it is /etc) and see where the
inventory_loc is,” she noted. “Mine is actually in the Oracle Home.
Then look for the missing file there.”
The release cycle is also frustrating customers, according to Pete
Finnigan, an Oracle security audit specialist whose recent blog on
the subject suggests a compromise.
“Possibly Oracle could compromise between a monthly schedule which
could cripple large companies with lots of databases and the original
more hap-hazard schedule of security releases,” Finnigan wrote. “A
quarterly release schedule would be better for company’s staff time
budgets needed for installation and testing but would not deliver the
advantage of security fixes being available monthly. It’s all about
compromises I suspect.”
Finnigan also said applying patches to a PC or even a Microsoft-powered
server is probably easier than doing the same with Oracle.
“The reason being is that Microsoft really has just one platform to
deal with whereas Oracle has multiple OS’s and also bugs in multiple
products to deal with,” he said.