| Home > Security News > Oracle's summer update fixes 65 flaws | |
| Security News: |
|
||
Updated July 19 to include information on the product versions affected by the delayed patches. Oracle Corp. fixed 65 security holes Tuesday in its latest quarterly Critical Patch Update (CPU). The flaws affect a variety of products, including the vendor's database and application server software. According to Symantec's DeepSight Threat Management Service, attackers can exploit some of the vulnerabilities to completely compromise a vulnerable server; and others to partially affect the availability, confidentiality or integrity of the computer. Both remote and local attacks are possible, Symantec said. The latest pile of vulnerabilities is larger than the 36 flaws addressed in Oracle's April CPU, but fewer than the 82 flaws fixed in January. Some security experts criticized the Redwood Shores, Calif.-based database giant for delaying patches for certain platforms in the April CPU. Darius Wiles, Oracle's senior manager of security alerts, acknowledged Tuesday that some patches were being held back this time as well. "About 10 patches won't be available today because of quality issues," Wiles said. "Most of those will be out in the next few days, though some might take a bit longer." Product versions affected by these delays are Oracle Application Server 9.0.4.1 on HP Tru64 and Oracle Application Server 10.1.2.0.2 on Linux and Microsoft Windows (32-bit). However, 10 isn't a lot, Wiles added, when one considers that the July CPU includes a total of 250 patches -- one patch for each specific product version and platform that's affected by the 65 flaws. He added, "We want to get all patches out by noon PT" the day of a CPU release, "but if we run across any problems, we will hold some back." Of the 65 flaws addressed in the July CPU: Two affect PeopleSoft and one affects JD Edwards. The JD Edwards flaw is of the most critical nature. Wiles also noted a formatting change made to this month's patch bulletin in response to customer feedback. Instead of separate MetaLink documents for the Database, Enterprise Manager, Applications Server and Collaboration Suite, information on the four product lines has been boiled down into one document. That way, he said, customers don't have to read as much text to find what they're looking for. Oracle has been criticized in the past for providing security bulletins that are very hard to digest. The database giant has also taken heat in the past for sitting on older flaws, not always fixing vulnerabilities as advertised in the CPUs and not including enough information on the specific flaws. In a recent interview, Wiles and John Heimann, Oracle's director of security program management, admitted that a vast array of platforms and mountains of source code can make for some patching mistakes, but they don't necessarily agree with some of the flaw findings independent researchers release to the public.
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
|
||||||||||