Downloading Critical Patch Updates without a Metalink account
raesene
I wonder if anyone could point me in the right direction of where I can
download Security Patches for Oracle database software (9i and 10g)
without having a Metalink account.
I've downloaded the free versions of the sofware from
http://www.oracle.com/technology/software/products/database/xe/htdocs/102xelinsoft.html
and
http://www.oracle.com/technology/software/products/oracle9i/htdocs/winsoft.html
but I can't find a location to download the security patches for either
product.
Thanks
Rory McCune
ro...@mccune.org.uk
sybrandb
On Jan 8, 2:28 pm, "raesene" <raes...@gmail.com> wrote:
> Hi,
>
> I wonder if anyone could point me in the right direction of where I can
> download Security Patches for Oracle database software (9i and 10g)
> without having a Metalink account.
>
> I've downloaded the free versions of the sofware fromhttp://www.oracle.com/technology/software/products/database/xe/htdocs...
> andhttp://www.oracle.com/technology/software/products/oracle9i/htdocs/wi...
> but I can't find a location to download the security patches for either
> product.
>
> Thanks
>
> Rory McCune
For any patch, whether an upgrade or a security patch, a Metalink
account is required.
The developers license explicitly excludes the entitlement to upgrades,
so how do you expect Oracle is going to provide security patches for
free.
Actually it is strange you are asking this question, because the answer
is in your license agreement.
--
Sybrand Bakker
Senior Oracle DBA
hpuxrac
The whole reason that oracle sells support contracts is for maintenance
and so that you can keep the oracle software patched and secure.
Oracle software is ( "for the most part" ) not open source.
You can not and are not allowed to download oracle patches ( through
metalink ) without having a valid support contract. Anyone that
provides oracle patches and/or patchsets to anyone without a valid
support contract is in legal jeopardy.
Once you have valid support contract you can get a metalink account and
proceed. If your organization has a valid support contract but you
don't have metalink access you have 3 choices:
1) get the people in your organization to get access for you
2) get the people in your organization to provide the patches/patchsets
for you
3) contact oracle to determine the name and contact information for the
people in your organization that control and administer the metalink
access for you
raesene
Thanks for the response. this did seem to be the case but I wanted to
check.
As to why Oracle should provide patches for free, well if people have
downloaded and installed the Oracle database software, it would seem to
be in Oracle's interest to want them to be using it in a secure
fashion.
Without that developers using the software who don't have access to a
Metalink account may be vulnerable to attack through the Oracle
instance.
One other thing I did notice from reading the license agreement.
"We grant you a nonexclusive, nontransferable limited license to use
the programs for: (a) purposes of developing, prototyping and running
your applications for your own internal data processing operations;"
there's the implication there if I'm reading it correctly that it can
be used to run programs for a companies Internal data processing
(although IANAL so I may be misreading that). So there's a risk there
that if a organisation are doing that then they will be running
vulnerable versions of the database.
Anyway thanks for confirming my initial impressions on this one.
Regards
Rory McCune
ro...@mccune.org.uk
hpuxrac
Emphasis is on "developing, prototyping" ... not running.
>
> there's the implication there if I'm reading it correctly that it can
> be used to run programs for a companies Internal data processing
> (although IANAL so I may be misreading that). So there's a risk there
> that if a organisation are doing that then they will be running
> vulnerable versions of the database.
It's fairly clearly stated that it's not intended to be used to run
production systems.
>
> Anyway thanks for confirming my initial impressions on this one.
You are welcome.
Andy Hassall
>One other thing I did notice from reading the license agreement.
>
>"We grant you a nonexclusive, nontransferable limited license to use
>the programs for: (a) purposes of developing, prototyping and running
>your applications for your own internal data processing operations;"
Ah, that's the Oracle XE license, which does allow full production use (within
its CPU, RAM and data limits).
However, there aren't any patches for it, not even Critical Patch Updates,
which has been the subject of some discussion recently.
e.g. http://www.petefinnigan.com/weblog/archives/00000973.htm
XE is therefore open to many critical vulnerabilities. Search for "Hacking and
Hardening Oracle Express Edition" for examples.
The other posters probably think you have the development license of the
"full" database, which has stricter license terms, such as:
"We grant you a nonexclusive, nontransferable limited license to use the
programs only for the purpose of developing a single prototype of your
application, and not for any other purpose. If you use the application you
develop under this license for any internal data processing or for any
commercial or production purposes, or you want to use the programs for any
purpose other than as permitted under this agreement, you must contact us, or
an Oracle reseller, to obtain the appropriate license."
... and ...
"You may not:
- use the programs for your own internal data processing or for any commercial
or production purposes, or use the programs for any purpose except the
development of a single prototype of your application;
- use the application you develop with the programs for any internal data
processing or commercial or production purposes without securing an appropriate
license from us;
- continue to develop your application after you have used it for any internal
data processing, commercial or production purpose without securing an
appropriate license from us, or an Oracle reseller;"
--
Andy Hassall :: an...@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
raesene
Andy Hassall wrote:
> On 8 Jan 2007 06:42:01 -0800, "raesene" <rae...@gmail.com> wrote:
>
> >One other thing I did notice from reading the license agreement.
> >
> >"We grant you a nonexclusive, nontransferable limited license to use
> >the programs for: (a) purposes of developing, prototyping and running
> >your applications for your own internal data processing operations;"
>
> Ah, that's the Oracle XE license, which does allow full production use (within
> its CPU, RAM and data limits).
>
> However, there aren't any patches for it, not even Critical Patch Updates,
> which has been the subject of some discussion recently.
>
> e.g. http://www.petefinnigan.com/weblog/archives/00000973.htm
>
> XE is therefore open to many critical vulnerabilities. Search for "Hacking and
> Hardening Oracle Express Edition" for examples.
>
Thanks for that, that explains what I was seeing in the license
agreement I was reading. Worrying information that Oracle don't seem
to be providing for security patches for XE.
Regards
Rory McCune
ro...@mccune.org.uk
DA Morgan
The question of security patches for XE came up a month or two ago and
I email Mary Ann Davidson, Oracle's Chief Security Officer, about it to
obtain a clarification. The thread disappeared from my newsreader so I
never updated it with her response.
Essentially, as I understand it, Oracle plans to release new versions of
XE rather than patches.
--
Daniel A. Morgan
University of Washington
damo...@x.washington.edu
(replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org