0

Oracle Security Update Patch July 2011

I am using JDK 1.4.2_08, 1.4.2_19, 1.4.2_22, and Oracle DB 9.2.0.8. Can any experts tell me how to tell if i am affected, i.e. after installing the patch everything will continue to work fine?

Thanks!

Oh Chin Boon
  • 225
  • 1
  • 4
  • 9

2 Answers2

2

This applies to any patches in general, and is not specific to the Oracle CPUs/ARUs etc. It is impossible for most software patches to be completely compatible with the existing version of the software and any software (including yours) that depends on it.

If you are rolling out a patch to production, a sensible roll-out policy would always involve testing the patch against a replica of the production instance. Like I stated earlier, this does not apply to the Oracle CPUs or ARUs alone; it applies to other artifacts like OS updates, configuration changes, anti-virus updates and any change that could break your application in production, or even modify the runtime behavior of the application.

Also, it doesn't hurt to take a backup of the production instance, before applying the patch. Most updates from Oracle recommend taking a backup, so that any failed patch installation can be rolled back without extending the potential downtime period.

The patchset release notes would guide you in establishing a minimum set of tests that you have to run before rolling out the update, but it is not necessary that a release note contains this information. It could be present in the bug databases associated with the product (this would be Oracle Support for the Oracle database, and possibly the Sun bug database for the Oracle JDK), and you have to perform the hard work of mapping the bug fixes to potential test candidates. If are unsure, you should still have a smoke test suite that you can run to ensure that a roll-out does not break your application.

Vineet Reynolds
  • 216
  • 1
  • 6
  • Hi Vineet, can you please guide me to the mentioned patchset release notes. – Oh Chin Boon Jul 20 '11 at 02:36
  • what is Oracle ARUs? – Oh Chin Boon Jul 20 '11 at 02:38
  • 1
    I believe for the July patch set that you are referring to, it would be this page - http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html . Each product will have it's own release notes for the patches issued for it in the CPU. ARU = Automated Release Updates; it is not done for all products as far as I know; it is basically a single bug fix. – Vineet Reynolds Jul 20 '11 at 02:38
  • Hi Vineet, i have scanned through the link you have given me, it seems that Oracle 9i and Java 1.4.2 is not affected by the patch. – Oh Chin Boon Jul 20 '11 at 02:47
  • 1
    Yes, that appears to be the case. The JDK patch is for the Oracle JRockit runtime and not for the acquired Sun JDK. – Vineet Reynolds Jul 20 '11 at 02:52
  • Hi Vinnet, thanks, may i know how did you come to the conclusion that it is targeting only JRockit? Please reference this link i clicked through from the CPU page: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0873 . – Oh Chin Boon Jul 20 '11 at 02:55
  • 1
    Now, that link in the CVE is for the June 2011 CPU, and not for the July one. Besides, the patch availability table for the July 2011 CPU references JRockit explicitly, whereas the Sun JDK is absent (it would have normally appeared in the Sun product suite section). Also, the patch release cycle for the Sun JDK is 4 months, if I'm not mistaken, and given that an update was issued last month, it is unlikely that there would be another in this month. – Vineet Reynolds Jul 20 '11 at 02:59
2

On the Oracle 9.2.0.8 front, this product is no longer under active support from Oracle and no new bug fixes are being released.

If security is an issue, you should consider an upgrade to the Oracle 11.2.0.2 version (as 10gR2 is also receding quickly in the rear view mirror).

Gary
  • 1,839
  • 10
  • 14
  • Would you know if you meant paid support altogether? I remember seeing some links about lifetime support by Oracle, in which the paid licensees receive support from Oracle, not sure if this is security bug fix. – Oh Chin Boon Jul 20 '11 at 06:00
  • 1
    You can pay for lifetime support which means they will supply you with any patches they have already written, or help you out if your backups go screwy etc. But they are not fixing any new bugs (including security issues) and it may stop you patching/upgrading the OS. – Gary Jul 21 '11 at 23:37