Oracle Patch Day Becoming Irrelevant 76
mocirac wak writes "Oracle's scheduled quarterly patch day is becoming more and more irrelevant. Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15. The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?" From the article: "... Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process. 'For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related,' Cerrudo said. 'They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability,' he added."
Re:You don't need to patch! (Score:2, Informative)
Anyone who reads bugtraq or the like will know it is shocking.
Take a look at http://www.securityfocus.com/archive/1/432399 [securityfocus.com] this for an example
Abhorent lack of focus (Score:2, Informative)
Its called customer service.... (Score:2, Informative)
ROI is important, and bad patch schedules and releases is not good ROI...
Sad state of Software Devlopment in general.... (Score:2, Informative)
Most of the companies are not mature and entrenched with bureocracy. Staff probably turns over twice a year now when a decade ago devoted "well paid" developers worked long hours to make sure a patch or update was ready for release.
Now from my perspective, as a DBA responsible for installing and overseeing the installation of software patches on database and application servers, I can't really say this is happening any longer.
I don't simply patch Oracle becasue they say it's "critical". Updates and patching is only done if needed to keep the applcation going and to keep users working. If the risk of not patching comes into play then we patch.
Unfortunately for us, many software makers they have discovered the joys of consulting fees to bolster fading profit and market share, rather than actually delivering quality service and product to existing customers.
Particulary in smaller software makers. Selling the sizzle and delivering the bacon later is all too common now. And many times you end up with something much less than "bacon".
Anyone who works with canned apps in a large heterogenous IS environment knows what I am talking about.
And "we" the customers are partly to blame for allowing software makers to have thier way with us. I for one refuse to "pay" to vendors develop working patches for their software...there are a thousand and one ways for software vendors to take advantage of clients. It is up to the IT professionals to hold them to contracts and simple concepts like the delivery of software, updates and patches that actually work as claimed.
So it is up to us to demand full documentation, and READ IT. Test the systems completely and be more "critical" of the vendors claims...if you have to be hard ass to do so...so be it.
Re:limited set unavailable? (Score:3, Informative)
Metalink note 360465.1 has a table of patch levels required for database versions and patch release dates by OS. For 9.2.0.6, 9.2.0.7, 10.2.0.1 it looks like patches are available, and 10.2.0.2 is only awaiting the patch for the HP Itanium platform ( expected today... I'm sure both sites who use Oracle on HP Itanium will be happy ).
There is some delay in other oracle versions on other platforms. If you're using 8.1.7.4, you're boned... although since IIRC all support for that version ends at the end of this year, I'd hope there's a migration in your future anyway.
For versions 10.1.0.3 and 10.1.0.4 it's a little odd... for some OSs there are patches available ( Tru-64, Linux, UNIX, et. al. ) but there's a wait for the windows versions. In 10.1.0.3s case some platforms must upgrade to 10.1.0.4 or 10.1.0.5, then apply patches for those levels.
So in short, if you're running the latest version of Oracle 9i or 10g on Windows, proprietary UNIX or Linux, there are patches available.