Where are the XE security patches?
This is a discussion on Where are the XE security patches? within the Oracle Database forums, part of the Database Server Software category; --> Pete Finnigan has got a very good point in his security blog http://www.petefinnigan.com/weblog/entries/ Perhaps it is disingenous of oracle ...
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-26-2008, 02:51 AM
| ||||
| ||||
 Where are the XE security patches? Pete Finnigan has got a very good point in his security blog http://www.petefinnigan.com/weblog/entries/ Perhaps it is disingenous of oracle to provide a free version of oracle if there are not timely efforts to keep it patched and secured.      |
|
02-26-2008, 02:51 AM
| |||
| |||
| Re: Where are the XE security patches? hpuxrac wrote: > Pete Finnigan has got a very good point in his security blog > http://www.petefinnigan.com/weblog/entries/ > > Perhaps it is disingenous of oracle to provide a free version of oracle > if there are not timely efforts to keep it patched and secured. Good point though I wouldn't have used the same words. I am checking on this and will report what I hear. -- Daniel A. Morgan University of Washington damorgan@x.washington.edu (replace x with u to respond) Puget Sound Oracle Users Group www.psoug.org |
|
02-26-2008, 02:51 AM
| |||
| |||
| Re: Where are the XE security patches? > Perhaps it is disingenous of oracle to provide a free version of oracle > if there are not timely efforts to keep it patched and secured. But isn't that what a support contract is for? If you pay for support, then in many cases, you are using SE or EE. If I get a free version of Linux, I do not expect patches. If I do want patches, I pay for a supported version of Red Hat, SuSE, etc. Just a thought... Cheers, Brian -- ================================================== ================= Brian Peasland dba@nospam.peasland.net http://www.peasland.net Remove the "nospam." from the email address to email me. "I can give it to you cheap, quick, and good. Now pick two out of the three" - Unknown |
|
02-26-2008, 02:51 AM
| |||
| |||
| Re: Where are the XE security patches? Brian Peasland wrote: >If I get a free version of > Linux, I do not expect patches. If I do want patches, I pay for a > supported version of Red Hat, SuSE, etc. > You have never used Gentoo Linux, have you? It is a source distribution, so it gets patches weeks if not months before binary distributions. But on databases, I guess you are right: you get what you pay for. -- Arto Viitanen, CSC Ltd. Espoo, Finland |
|
02-26-2008, 02:51 AM
| |||
| |||
| Re: Where are the XE security patches? hpuxrac wrote: > Pete Finnigan has got a very good point in his security blog > http://www.petefinnigan.com/weblog/entries/ Pete says that a first patch was released after some time but I wasn't able to find it, do you know where it is? Thank you. Kind regards, -- spamto:cris119@operamail.com blind faith in your leaders or in anything will get you killed |
|
02-26-2008, 02:52 AM
| |||
| |||
| Re: Where are the XE security patches? Brian Peasland wrote: > > Perhaps it is disingenous of oracle to provide a free version of oracle > > if there are not timely efforts to keep it patched and secured. > > But isn't that what a support contract is for? If you pay for support, > then in many cases, you are using SE or EE. If I get a free version of > Linux, I do not expect patches. If I do want patches, I pay for a > supported version of Red Hat, SuSE, etc. > > Just a thought... Hey we are not using XE here. EE for me please. However I believe oracle has indicated that XE would be kept patched and updated ... not just thrown out as a one time release. Shouldn't it be possible to keep the patches for it synchronized with the quarterly CPU's? |
|
02-26-2008, 02:53 AM
| |||
| |||
| Re: Where are the XE security patches? DA Morgan wrote: > hpuxrac wrote: >> Pete Finnigan has got a very good point in his security blog >> http://www.petefinnigan.com/weblog/entries/ >> >> Perhaps it is disingenous of oracle to provide a free version of oracle >> if there are not timely efforts to keep it patched and secured. > > Good point though I wouldn't have used the same words. I am checking on > this and will report what I hear. I received one answer: The release of XE was delayed for four months so that Oracle could apply and test a substantial number of security patches. If used per the docs my source was unaware of any issues. The operative phrase here is "used per the docs" and not used for some other purpose. Seems reasonable. -- Daniel A. Morgan University of Washington damorgan@x.washington.edu (replace x with u to respond) Puget Sound Oracle Users Group www.psoug.org |
|
02-26-2008, 02:53 AM
| |||
| |||
| Re: Where are the XE security patches? DA Morgan wrote: > DA Morgan wrote: > > hpuxrac wrote: > >> Pete Finnigan has got a very good point in his security blog > >> http://www.petefinnigan.com/weblog/entries/ > >> > >> Perhaps it is disingenous of oracle to provide a free version of oracle > >> if there are not timely efforts to keep it patched and secured. > > > > Good point though I wouldn't have used the same words. I am checking on > > this and will report what I hear. > > I received one answer: > > The release of XE was delayed for four months so that Oracle could apply > and test a substantial number of security patches. If used per the docs > my source was unaware of any issues. > > The operative phrase here is "used per the docs" and not used for some > other purpose. Seems reasonable. If Pete Finnigan is hinting that there are unresolved security patches that currently haven't been applied against XE ... and oracle isn't committed to dates when it will be updated and patches ... that's "reasonable?". "My source was unaware of any issues?" Yikes. It don't take a weatherman to know which way the wind is blowing here. |
|
02-26-2008, 02:53 AM
| |||
| |||
| Re: Where are the XE security patches? hpuxrac wrote: > DA Morgan wrote: > > DA Morgan wrote: > > > hpuxrac wrote: > > >> Pete Finnigan has got a very good point in his security blog > > >> http://www.petefinnigan.com/weblog/entries/ > > >> > > >> Perhaps it is disingenous of oracle to provide a free version of oracle > > >> if there are not timely efforts to keep it patched and secured. > > > > > > Good point though I wouldn't have used the same words. I am checking on > > > this and will report what I hear. > > > > I received one answer: > > > > The release of XE was delayed for four months so that Oracle could apply > > and test a substantial number of security patches. If used per the docs > > my source was unaware of any issues. > > > > The operative phrase here is "used per the docs" and not used for some > > other purpose. Seems reasonable. > > If Pete Finnigan is hinting that there are unresolved security patches > that currently haven't been applied against XE ... and oracle isn't > committed to dates when it will be updated and patches ... that's > "reasonable?". > > "My source was unaware of any issues?" > > Yikes. > > It don't take a weatherman to know which way the wind is blowing here. A quick look at the "used per the docs" notes the following ... Oracle Database XE is a great starter database for: Developers working on PHP, Java, .NET, XML, and Open Source applications DBAs who need a free, starter database for training and deployment Independent Software Vendors (ISVs) and hardware vendors who want a starter database to distribute free of charge Educational institutions and students who need a free database for their curriculum So oracle has noted that ISV's and hardware vendors should feel free to pick XE to distribute free of charge but caveat emptor on security vulnerabilities? At least we are not aware of any universities that have been hacked lately right? |
|
02-26-2008, 02:53 AM
| ||||
| ||||
| Re: Where are the XE security patches? hpuxrac wrote: > DA Morgan wrote: > > DA Morgan wrote: > > > hpuxrac wrote: > > >> Pete Finnigan has got a very good point in his security blog > > >> http://www.petefinnigan.com/weblog/entries/ > > >> > > >> Perhaps it is disingenous of oracle to provide a free version of oracle > > >> if there are not timely efforts to keep it patched and secured. > > > > > > Good point though I wouldn't have used the same words. I am checking on > > > this and will report what I hear. > > > > I received one answer: > > > > The release of XE was delayed for four months so that Oracle could apply > > and test a substantial number of security patches. If used per the docs > > my source was unaware of any issues. > > > > The operative phrase here is "used per the docs" and not used for some > > other purpose. Seems reasonable. > > If Pete Finnigan is hinting that there are unresolved security patches > that currently haven't been applied against XE ... and oracle isn't > committed to dates when it will be updated and patches ... that's > "reasonable?". It was my understanding when XE first came out ( as others noted http://groups.google.com/group/comp....b?dmode=source ) that the idea was for Oracle to handle all patching, and users would simply download and install the latest version when necessary. Seemed reasonable. Of course, I'm still using the beta, so how good is that going to work in practice anyways? Most users would probably stop fiddling once it got working. > > "My source was unaware of any issues?" > > Yikes. > > It don't take a weatherman to know which way the wind is blowing here. Man I'm biting my tongue... let's just say, A Mighty Wind. jg -- @home.com is bogus. http://www.signonsandiego.com/uniont...s_1b12ams.html |
Linear Mode
