Bookmark Go to End

Doc ID: Note:293955.1
Subject: Oracle Critical Patch Update January 2005 FAQ
Type: FAQ
Status: PUBLISHED
Content Type: TEXT/X-HTML
Creation Date: 15-DEC-2004
Last Revision Date: 21-JAN-2005
Note: 293955.1
Oracle Critical Patch Update January 2005 FAQ
Release Date: January 18th, 2005

Important
This is a live document and is updated as needed. Please take note of the Modification History at the bottom of this document and refresh your browser.

INTRODUCTION

This FAQ was produced to address questions and concerns regarding Oracle Critical Patch Update January 2005 (CPUJan2005). The questions in this FAQ are categorized by Oracle products that are applicable to CPUJan2005.  Non-product specific questions are categorized in the General section.  The following MetaLink Notes should be thoroughly reviewed for CPUJan2005:

Note 293953.1 Oracle Critical Patch Update January 2005 Advisory
Note 290738.1 Oracle Critical Patch Update Program General FAQ
Note 293737.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle Database Server
Note 293738.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle Application Server
Note 293740.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle Collaboration Suite
Note 293741.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for Oracle E-Business Suite
Note 295108.1 Oracle Critical Patch Update January 2005 Pre-Installation Note for OEM Grid Control
Note 237007.1 FAQ for Oracle Security Alerts and Critical Patch Updates

QUESTIONS BY CATEGORY

General 
  1. Are there details available about exploiting the vulnerabilities covered in Critical Patch Update January 2005?
  2. Do the components listed in the Advisory Risk Matrix include only the new fixes in the Critical Patch Update – January 2005 or do they list all security vulnerabilities from previous alerts?
  3. I have not installed Security Alert 68.  Do I need to install that before the Critical Patch Update January 2005? 
  4. Where do I find information about downloading patches for the Critical Patch Update January 2005?

[TOP]

Oracle Database Server (DB)
  1. According to the Advisory Risk Matrix, some of the database vulnerabilties require certain system privilege and object privilege.  Can I just revoke those privilege from the users and apply the CPUJan2005 patches at a later time?
  2. There are patches available for the 9.0.1.4 and 9.0.1.5 databases listed in the Application Server Pre-Installation Note but not the Database Server Pre-Installation Note.  Can I apply those patches on my 9.0.1.4 or 9.0.1.5 database?

[TOP]

Oracle Enterprise Manager (OEM) No issue reported.

[TOP]

Oracle HTTP Server (OHS) No issue reported.

[TOP]

Oracle Application Server (OAS) No issue reported.
[TOP]
Oracle Collaboration Suite (OCS) No issue reported.

[TOP]

Oracle E-Business Suite (EBS) No issue reported.

[TOP]

[TOP]

QUESTIONS AND ANSWERS BY CATEGORY

General 

1. Are there details available about exploiting the vulnerabilities covered in Critical Patch Update January 2005?

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers.

2. Do the components listed in the Advisory Risk Matrix include only the new fixes in the Critical Patch Update – January 2005 or do they list all security vulnerabilities from previous alerts?

The Risk Matrix includes only new fixes that are included in the Critical Patch Update for January 2005.

3. I have not installed Security Alert 68.  Do I need to install that before the Critical Patch Update January 2005?

This Critical Patch Update is a cumulative update (including all Oracle Security Alert #68 fixes) containing fixes for multiple security vulnerabilities.   Therefore you will not need to install the Security Alert 68 patches first if you install the Critical Patch Update January 2005.

4. Where do I find information about downloading patches for the Critical Patch Update January 2005?

The Critical Patch Update advisory is the starting point for more information and to obtain the patches. It contains a summary of the security vulnerabilities and links to other important documents such as the Pre-Installation Notes. There is a Pre-Installation Note for each product which explains how to determine which patches need to be installed for that product and how to download them.

[List of General questions]
[TOP]

Oracle Database Server (DB)

1. According to the Advisory Risk Matrix, some of the database vulnerabilties require certain system privilege and object privilege.  Can I just revoke those privilege from the users and apply the CPUJan2005 patches at a later time?

Oracle recommends customers apply the CPUJan2005 as soon as possible.  Revoking certain system privileges or object privileges on certain objects may cause your applications to function incorrectly.

2. There are patches available for the 9.0.1.4 and 9.0.1.5 databases listed in the Application Server Pre-Installation Note but not the Database Server Pre-Installation Note.  Can I apply those patches on my 9.0.1.4 or 9.0.1.5 database?

The patches provided for the 9.0.1.4 and 9.0.1.5 databases are strictly for Application Server customers who are using their 9.0.1 database as an Applicatoin Server Metadata Repository.  It is not recommended that you apply these patches to your independent 9.0.1 databases.

[List of DB questions]
[TOP]

Oracle Enterprise Manager (OEM)

No issue reported.

[List of OEM questions]
[TOP]

Oracle HTTP Server (OHS)

No issue reported.

[List of OHS questions]
[TOP]

Oracle Application Server (OAS)

No issue reported.

[List of OAS questions]
[TOP]

Oracle Collaboration Suite (OCS)

No issue reported.

[List of OCS questions]
[TOP]

Oracle E-Business Suite (EBS)

No issue reported.

[List of EBS questions]
[TOP]


MODIFICATION HISTORY

18-JAN-05: FAQ initially released.
21-JAN-05: Added questions 1-4 in the General section and 1-2 in the Database section.

###

.

Copyright (c) 1995,2000 Oracle Corporation. All Rights Reserved. Legal Notices and Terms of Use.