Note:293737.1
Oracle Critical Patch Update January 2005 
Pre-Installation Note for Oracle Database Server
Release Date: January 18th, 2005

Important: If this Note is printed, be aware that its content may change, as per the Modification History below.

CONTENTS

1 INTRODUCTION
2 OBJECTIVE
3 COMPONENT IMPLICATIONS
4 WHERE TO START
5 WHAT PATCHES TO APPLY
6 KNOWN ISSUES
7 REFERENCES
8 MODIFICATION HISTORY

1 INTRODUCTION

Oracle Corporation has released the Oracle Critical Patch Update January 2005 (CPUJan2005) on January 18th, 2005.  The products included are Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle Enterprise Manager Grid Control, and Oracle E-Business Suite  A product Pre-installation Note has been released for each of these product suites at the same time.  This Pre-installation Note is focused on the Oracle Database Server.  For the other Oracle products included in the CPUJan2005, review the following Pre-Installation Notes:

Note 293740.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle Collaboration Suite
Note 293738.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle Application Server
Note 293741.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle E-Business Suite
Note 295108.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle Enterprise Manager Grid Control

In addition, review the following MetaLink Notes thoroughly for general information related to the Oracle CPU Program, CPUJan2005, or previous Oracle Security Alerts:

Note 293953.1 Oracle Critical Patch Update January 2005 Advisory
Note 293955.1 Oracle Critical Patch Update January 2005  FAQ
Note 237007.1 FAQ for Oracle Security Alerts and Critical Patch Updates  
Note 290738.1 Oracle Critical Patch Update Program General FAQ

2 OBJECTIVE 

The objective of the Pre-Installation Note is to help you identify the patches you need for your Oracle environment and the sequence to apply them. This document is focused on the Oracle Database Server and the products distributed with it.  If you are running other Oracle product, please review the Oracle Critical Patch Update Pre-Installation Note for the other products (listed in Introduction) also before applying any patches.  

The Oracle Database Server is distributed with the Oracle HTTP Server (OHS) and the Oracle Enterprise Manager (EM).  For releases prior to Oracle Database 10g, during the Oracle Database Server installation, the OHS is installed by default unless you specifically chose to deselect it at installation time.  From Oracle Database 10g, OHS is distributed on a companion CD and is installed separately.  The Enterprise Manager Database Control is installed by default with the Oracle Database Server while the Enterprise Manager Grid Control is installed from the companion CD distributed with the Database Server.

3 COMPONENT IMPLICATIONS

See the appropriate CPUJan2005 Release Notes supplied with the patch and the Oracle Critical Patch Update January 2005 Advisory (Note 293953.1) for the list of Oracle Database Server components or modules included. 

By default, many of the Database Server components are installed, except the Oracle HTTP Server for Oracle Database Server 10g and Oracle Enterprise Manager DB Control (10g and later).  You can determine the versions of the products installed by running either the Oracle Universal Installer (and selecting ‘Installed Products’), or by running the following command:

opatch lsinventory –detail

For example, if "Oracle HTTP Server” is included in the output of of the above command or in the Oracle Universal Installer, Oracle HTTP Server is installation.

Even if the component is not used in your environment, the fact that the component is installed on the system is enough for the Database Server to be vulnerable.

For Oracle Database Server 9i Release 2 and earlier, the fixes for the Oracle HTTP Server component is included in the Database Server patch.  If this component is installed, you will need to apply the OHS patch also.  The existence of an "Apache" directories under the Database Server $ORACLE_HOME is an indication that the Oracle HTTP Server is installed.

For Oracle Database Server 10g, the Oracle HTTP Server is installed in its own Oracle_Home from the Companion CD. If you have installed this product, please use the patch provided for the Oracle Application Server 10g (either 9.0.4.0 or 9.0.4.1). 

4 WHERE TO START 

Before you can determine which database patch to download, make a list of Oracle Database Server versions you have installed in your Oracle environment.  The list should include the full version numbers. Then, for each Database Server installation, list whether Oracle HTTP Server was installed.  You should also list if any of the components listed in the previous section are installed.  If the component is not installed, the component specific post-installation actions as described in the patch readme file can be skipped.  However, you cannot select which components to be applied to the Database Server during installation.  If some, not all, of the components above are installed, it is important that you apply the Oracle Critical Patch Update January 2005.

Once you have gathered the product information and read the documentation related to CPUJan2005, prioritize your business systems in your list based on your business requirements.  For example, your business requirements may require systems outside of the firewall to have higher priority than systems inside of the firewall. 

5 WHAT PATCHES TO APPLY

It is required to have previous Patchsets or database upgrades applied before applying the CPUJan2005 patches. CPU patches are cumulative, which means fixes from previous Oracle Security Alerts are included.

The database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations beyond what was addressed in the Security Alert 68 Update. If you have not installed the Security Alert 68 on the Client-only installations, you must install the Security Alert 68 update or this Critical Patch Update on those installations in order to eliminate the security vulnerabilities described by Security Alert 68.

The database fixes included in Oracle Critical Patch Update January 2005 applicable to the Oracle Database Server are included in the 9.2.0.6 and 10.1.0.4 patch set.  Whenever possible, Oracle highly recommends that you update to the latest patch set of your Database Server Release.  For Oracle9i Release 2 versions 9.2.0.4 and 9.2.0.5, Oracle recommends that you update your database to 9.2.0.6 (Patch 3948480) then you will only need to apply a patch for the OHS component if it is installed. 

5.1 Oracle HTTP Server

The Oracle HTTP Server (OHS) is one of the components included in CPUJan2005, and can contain many sub-components, called modules. A primary module is Oracle's mod_plsql.  Whenever you have an Oracle HTTP Server installed (either via a Database Server or Application Server installation), you have mod_plsql installed on the file system, and the PL/SQL Toolkit installed as database objects. For CPUJan2005, both of these needs to be updated.  

The update to the database objects requires connection to the databases involved by issuing the 'sysobjects' command.  Note that the 'sysobjects' portion of the patch only needs to be applied to a single database once, from any of the patches. Installing the 'sysobjects' portion multiple times from different patch is benign, as this will result in reapplying the exact same PL/SQL Toolkit change to the database.  Note that this patch does not install an entire new Toolkit, but only adds an additional package, "owa_match". Since this is a new package, all previous functionalities of the Toolkit will remain the same. The readme explains the steps to be performed.  For more mod_plsql version information, see Note 188622.1 MOD_PLSQL Version Information for iAS/AS10g.

5.2 Previous Database Server Versions

Any Database Server version not listed on the matrix does not mean it is not affected by the vulnerabilities included in CPUJan2005 but rather there is a need to upgrade.  Unsupported products and previously obtained versions have not been tested for the presence of the security vulnerabilities included in CPUJan2005, nor patched. These versions must be upgraded, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy Note 209768.1 . In some cases, an upgrade to a latest patchset is all that is required. If you have a version lower than the version specified in the following matrix, you MUST upgrade before applying these patches.

The Error Correction Support for 8.1.7 for some platforms ended on 31-DEC-2003 as described in Note 250629.1 Oracle Database 8.1.7 (8i) desupport notice 1 of 2 and no Extended Maintenance Support (EMS) was offered. Therefore CPUJan2005 patches for this product version is not available for these platforms.

The Error Correction Support for 9.0.1 ended on 31-DEC-2003 as described in Note 201685.1 Oracle Database 9.0.1 (9i) & 9.0.1.x (9i) desupport notice. However, CPUJan2005 patches for this product version is available for Oracle9i Application Server Release 2 (v.9.0.2) and Oracle Application Server 10g (9.0.4) customers using the 9.0.1.x database as their OracleAS Metadata Repository, and Oracle Collaboration Suite v.9.0.3 and v.9.0.4 customers using the 9.0.1 database for their directory storage.  For more information regarding the impact of CPUJan2005 to Application Server and Collaboration Suite, please see Note 293738.1 and Note 293740.1.

5.3 Prerequisites

If you have Oracle HTTP Server (OHS) installed, then follow the steps in this section.

For Database versions 8.1.7.4 and 9.2.0.x - you should have applied patch for Oracle Security Alert 45 and Alert 62 before applying CPUJan2005 patch.  If you have already done this, you can skip this step. If in doubt, apply the following patches.

• To apply Alert 62 (Note 258996.1), please apply patch 3169446
• To apply Alert 45 (Note 214356.1), please apply patch 2611482

5.4 Ready to Start Applying Patches

Below are the tables listing the patches you need for your versions of Oracle Database Server and Oracle HTTP Server.  Obtain the patches on MetaLink, unzip each and read all Readme files. If ever needing Oracle Support assistance, please provide the list of your Database Server versions and HTTP Server options. 

Table 1: Oracle Database Server and Oracle HTTP Server (OHS)

* z/OS V10.1.0.3 will be released with Critical Patch Update January 2005 already incorporated into it. As a result, no separate patch is required.

Table 2: Oracle HTTP Server (OHS) for 10g

** 10.1.0.2 and 10.1.0.3 shipped with OHS 9.0.4.0. Apply patch 4005890 if you have not applied the 9.0.4.1 patchset.  Apply patch 4005894 if you have applied the 9.0.4.1 patchset.

6 KNOWN ISSUES

6.1. For Database Server 8.1.7.4, while applying the CPUJan2005 patch, you may see a conflict reported with 3973565. 

It can be ignored because this fix is included in the current patch.

6.2. For IBM AIX platform, during patch installation you my receive the following error:

Exception thrown from action: copyExpandedGroup
Exception Name: IOException2
Exception String: Error in writing to file
/u01/64bit/app/oracle/product/ias902j2ee/Apache/Apache/libexec/mod_dms.so
Exception Severity: 2
Exception handling set to prompt user with options to RETRY IGNORE

This is a known issue documented in Note 218084.1. Please run the AIX command "/usr/sbin/slibclean" as "root", as recommended in Note 218084.1, before installing the CPUJan2005 patch.

6.3. For all platforms, 9.2.0.4, 9.2.0.5 or 9.2.0.6, Step 1.b. of the README.txt is not clear:

If only connect strings of 'sample-tcp' were found, then skip Step 2

6.4. For all platforms, 8.1.7.4 MODPLSQL Step 3 of the README.txt is not clear:

If only connect strings of 'sample-tcp' were found, then skip Step 4

6.5. For all platforms, customers who upgraded to 9.2.0.4 from 9.2.0.2 or 9.2.0.3 may encounter a known Opatch error.

If you encounter any Opatch errors, please download Patch #4113140 from Metalink and refer to inventory_recovery.pdf for installation instructions.

6.6. On all AIX platforms, when installing 9.2.0.4, 9.2.0.5, 10.1.0.2 or 10.1.0.3, you may receive the following error:

        xlC: not found
If you are NOT using OCCI, error message can be safely ignored.

If you ARE using OCCI, the AIX C++ compiler must be installed and in the PATH. Issue the following to confirm this:
        % which xlC

If xlC is not found, determine its location and add the directory to the PATH environment variable. If it is not installed, it will need to be installed for the successful installation of this patch. Once it is installed, determine its location and add the directory to the PATH environment variable. Continue the installation and run the following once the above has been resolved:
        % genoccish

The above command will simply return to the command prompt if it is successful. Otherwise, errors will be thrown.

6.7. For 9.2.0.6, when installing the Oracle Critical Patch Update January 2005, an error may occur indicating that the patch is being installed on a wrong platform.  

This is not an issue with the installation of the Oracle Critical Patch Update January 2005 patch. It is a general issue with installing Interim patches to 9.2.0.6. Please follow the resolution outlined in MetaLink Note 292946.1.

6.8. For Client-Only installation, when installing the Oracle Critical Patch Update January 2005, the following error occur during the relink phase:

$ORACLE_HOME/bin/genoccish: not found
*** Error code 1
make: Fatal error: Command failed for target `client_sharedlib'

The program genoccish is used to rebuild the OCI Libraries. As OCI is not installed during a Client-only installs, this error can be ignored. Reply N to the question “Do you want to stop?” 

6.9. 10.1.0.2 for some platforms are re-uploaded. 

This affects 10.1.0.2 only on the following platforms:

AIX5L Based Systems (64-bit)
HP Tru64 UNIX 
HP-UX Itanium 
HP-UX PA-RISC (64-bit) 
Linux x86 
Solaris Operating System (SPARC 64-bit)
Windows 32-bit
Windows 64-bit 

The reason for re-upload was that a file was copied to the incorrect location. Manually copying the file to the correct location will cause inventory corruption and the patch not de-installable. Please download and re-install the latest version of the patch dated 21-JAN-2005 for non-Windows platforms and 25-JAN-2005 for Windows platforms.

6.10. For Database Server 8.1.7.4, while applying the CPUJan2005 patch, you may see a conflict reported similar to the following:

Previously applied patch(es) may be in conflict with 4002909
The patch(es) for Version 8.1.7.4.0, that may be in
conflict with this patch are:
2713573
Continuing could overwite all or parts of the patch(es) in conflict.
You may want to contact support to get a merge of bug 4002909 and
the above conflicting bug(s).

This may be due to the installation not recognizing that the fixes for Security Alert 48, 49, 50 and 51 are included in the Oracle Critical Patch Update January 2005 patch. 

The table below maps the bug number to each security alert and platform (PSE refers to the Patch Set Exception for the specific platform).  If the installation of the Oracle Critical Patch Update January 2005 patch returns a Conflict for any of the following patch, you may disregard the error and continue with the installation.

Platform	Alert 48 (Base 2642117)	Alert 49 (Base 2642267)	Alert 50 (Base 2642439)	Alert 51 (Base 2620726)
	PSE	PSE	PSE	PSE
AIX4-32	2713572	2738648	2742799	2715615
AIX4-64	2713565	2738640	2742790	2715608
AlphaVMS	2713569	2738645	2742796	2715612
DG-Ix86	2770387	2738651	2742800	2770373
DYNIXptx	2713570	2738647	2742998	2715613
HPUX-32	2713571	2738634	2742794	2715614
HPUX-64	2713567	2738643	2742793	2715610
Linux-x86	2713566	2738641	2742791	2715609
SGI-64	2770388	2738638	2742787	2770370
SNI	2770385	2738642	2742792	2770371
Solaris-32	2713573	2738649	2742800	2715616
Solaris-64	2713563	2738636	2742786	2715605
Solarisx86	2770386	2738651	2742800	2770372
Tru64	2713568	2738644	2742795	2715611
UnixWare	2713574	#N/A	#N/A	2715617

6.11 For Database Server 9.2.0.4, while installing Oracle Critical Patch Update January 2005 on 9.2.0.4, the following error may occur if Spatial is installed and the ORACLE_HOME was upgraded from 9.2.0.2 or 9.2.0.3:

Exception in thread "main" oracle.sysman.oii.oiii.OiiiOneoffException:

The base component <oracle.cartridges.spatial, 9.2.0.3.0> of the One-off Patch <9.2.0.3.0> is not present in the install inventory.

If you encounter this error or one stating 9.2.0.2.0, download Patch # 4113140 from MetaLink and refer to inventory_recovery.pdf for installation instructions. After following the instructions, re-start the installation of the Oracle Critical Patch Update January 2005.

6.12 While installing Oracle Critical Patch Update January 2005, the following Security Alert 68 Oracle HTTP Server patches may return as a conflict.

3835963 (9.2.0.4)
3835964 (9.2.0.5)
3838804 (10.1.0.2)

These conflicts can be ignored as the Oracle Critical Patch Update January 2005 replaces these patches. Reply to continue and the conflicting patch will be rolled back.

7 REFERENCES

Note 263719.1 ALERT: Oracle 10g Release 1 (10.1) Support Status and Alerts
Note 189908.1 ALERT: Oracle9i Release 2 (9.2) Support Status and Alerts
Note 120607.1 ALERT: Oracle8i Release 3 (8.1.7) Support Status and Alerts
Note 250629.1 Desupport Notices Oracle Database 8.1.7 (8i) & 8.1.7.x (8i) Notice 1 of 2
Note 148054.1 Desupport Notices Oracle Database 8.1.7 (8i) & 8.1.7.x (8i) Notice 2 of 2
Note 201685.1 Desupport Notices Oracle Database 9.0.1 (9i) & 9.0.1.x (9i)

8 MODIFICATION HISTORY

18-JAN-05: Initial release.
19-JAN-05: Updated Section 5.3. Prerequisite Security Alert number should be 45, not 48. It was a typo on the Security Alert number only.
20-JAN-05: Updated Table 1 to include VMS and z/OS; Added client-only information in Section 5; Added example to check if OHS is installed; Added 6.7 and 6.8 in the Known Issues section.
21-JAN-05: Updated Table 1 to include ETA for UnixWare and Availability for 10.1.0.3; Added 6.9 and 6.10 in the Known Issues section; Corrected typo in 6.7.
24-JAN-05: Added 6.11.
25-JAN-05: Removed reference to Windows in 6.11.
26-JAN-05: Added Windows platforms to 6.9; Corrected typo in 6.11; Added 6.12.
28-JAN-05: Updated Table 1, patch for UnixWare was released and ETA for Linux x86-64 was updated.