back to article Oracle drops 248 – count 'em – 248 patches, to fix ... something

Oracle has just pushed out its quarterly batch of critical patches, so sysadmins had best get busy. The bug-splat haul covers a record-setting 248 individual fixes, with the full list here. The Oracle E-Business Suite gets the biggest serve, with a whopping 78 bugs patched, 68 of which are remotely exploitable without …

  1. allthecoolshortnamesweretaken

    Aww, c'mon...

    248 patches per quarter, that comes down to 20, 21 patches a week... not that bad, considering it's Oracle...

  2. Anonymous Coward
    Anonymous Coward

    "There's a small sigh of relief for MySQL Server users, since although the patch-round covers 22 vulnerabilities, only one is remotely exploitable."

    So more vulnerabilities in one go than MS SQL Server has had ever!

    https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-251/opdos-1/Microsoft-Sql-Server.html

    1. batfastad

      It's an order of magnitude easier to find, exploit and report vulnerabilities if the source code is right there in front of you.

      Just because fewer vulns are reported (or admitted) that doesn't mean they don't exist.

      1. Anonymous Coward
        Anonymous Coward

        >> It's an order of magnitude easier to find, exploit and report vulnerabilities if the source code is right there in front of you.

        Sure it is. Worked so well for say Open SSL across 18+ years didn't it?

        FYI, corporates, governments, etc. do get to check / audit the MS source code anyway.

        1. batfastad

          >Sure it is. Worked so well for say Open SSL across 18+ years didn't it?

          Eventually found, fixed and disclosed.

          Potentially found, exploited and not disclosed for 18+ years.

          I'm not sure your suggestion of relying on the vulnerability disclosure policy of governments is a particularly great idea.

          Corporates, hmmm, it would be interesting to know how many corporates have audited the source code of SQL Server. Having theoretical access to audit is a long way off having the technical skill set, time and money to do so.

        2. Destroy All Monsters Silver badge

          FYI, corporates, governments, etc. do get to check / audit the MS source code anyway.

          Uh-huh. Yeah. Sure.

          1. Anonymous Coward
            Anonymous Coward

            >> Uh-huh. Yeah. Sure.

            https://www.microsoft.com/en-us/sharedsource/default.aspx

          2. Destroy All Monsters Silver badge

            Yes, downvoter.

            So how's that gonna work?

            "Here is the source code, you can audit it to your heart's content. It's a hairball of historical accidents with lots of bullshit crammed into the kernel that shouldn't even be there in the first place, you may want to do a very precise audit because we not entirely sure what some of that code does ourselves. But you have an army of top Microsoft OS specialists and gigabytes of traceable requirements, right, to make this more than an exercise in pretend due diligence?

            When you are done, we will compile it for you ...

            MWAHAHAHA!"

            1. TheVogon Silver badge

              "It's a hairball of historical accidents with lots of bullshit crammed into the kernel that shouldn't even be there in the first place"

              If you think that about a microkernel OS like Windows, what about Linux?! It's way way worse in that regard.

              "to make this more than an exercise in pretend due diligence?"

              That seems to work for the Open Source world.

              1. Roo

                "If you think that about a microkernel OS like Windows, what about Linux?! It's way way worse in that regard."

                I agree a microkernel OS *should* be smaller and therefore easier to validate but Windows is not a microkernel OS because it runs stuff like font file parsing & rendering in ring 0. By contrast Linux does not render fonts in ring 0 - so that's *less* code to validate in the Linux case.

                A lot of this is a moot point anyway - because the modern Wintel hardware has a metric shit load of protection domains that overlap, there are at least two *more* privileged layers above classic "ring 0" these days. Folks need to audit the firmware on the processors and motherboard these days, folks on old school RISC platforms have life a bit easier. :)

  3. Anonymous Coward
    Anonymous Coward

    How I miss Sun Microsystems

    (Sigh)

  4. Gis Bun

    I was expecting at least half the issues to involve Java.

  5. Anonymous Coward
    Joke

    Database flaws attack accountants ..

    There, headline corrected so as not to cause a trigger warning :)

  6. Simon Brady

    CVE details? Yeah right...

    Oracle gives its risk matrices to everyone but keeps the details of individual CVEs (Common Vulnerabilities and Exposures) to users with log-ins to its support portal.

    This is incorrect. The Patch Availability documents linked to from the announcement are just that - they detail which patches to download for which product versions and link to other support docs for known issues, non-standard patching instructions, etc. They don't provide paying customers any more detail on the vulnerabilities than what Joe Public can infer from the risk matrices, which shouldn't be surprising:

    https://www.oracle.com/support/assurance/vulnerability-remediation/disclosure.html

    (I have my own support contract with Oracle as an independent consultant, so the above is based on first-hand readings of the docs.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020