Customers Wait for Oracle Security PatchesBy Ryan Naraine | Posted 05-04-2006
Just call it Oracle's May critical patch update.
Three weeks after the database server vendor announced the release of its April 2006 CPU, customers are still waiting for the several important fixes.
The update, which addresses 36 different product flaws, is still undergoing quality assurance testing and is not yet available for download.
On April 18, when the scheduled quarterly update was released, Oracle said the patches would be ready for download on May 1.
Now, according to information posted on the company's Metalink portal, some of the patches won't be ready until May 15.
Oracle declined a request for an interview to discuss the delay, which is being blamed on ongoing patch quality testing. A promised statement was not available at the time this article was published.
Alexander Kornbrust, founder and CEO of Red-Database-Security, said the absence of the patches a full month after the scheduled release date points to a resource problem at the Redwood City, Calif., vendor.
"It's very normal for Oracle to release all the patches for all platforms, but this month it's been extreme. This defeats the purpose of having a scheduled release cycle," Kornbrust said in an interview with eWEEK.
Kornbrust, who regularly reports database and server flaws to Oracle, said the purpose of implementing a rigid patch release cycle is to help DBAs prepare for patch testing and deployment.
"If these DBAs now have to wait weeks and months for the patches, what's the use of having an Oracle patch day?" he asked.
Cesar Cerrudo, founder and CEO of Argeniss Information Security, said patches for Oracle database versions 220.127.116.11, 10.1.0.4, 10.1.0.5 and 10.2.0.2 are among those that are not yet available.
Read the full story on eWEEK.com: ServiceCustomers Wait for Oracle Security Patches