Archive for September, 2009

Oracle postpones October 2009 CPU

Freitag, September 4th, 2009

Yesterday Oracle announced that the Oracle October 2009 CPU will be postponed due to the Oracle Openworld in San Francisco.Instead of releasing the patches on the 13th October 2009, Oracle will release them 1 week later at the 20th of October. The reason is that many people responsible for deploying the Oracle CPU will be at the Openworld.Good choice because I will visit the Openworld to and will give a presentation on SQL Injection.

New Security Features Oracle 11g Release 2

Dienstag, September 1st, 2009

Here are the New Features Oracle 11g Release 2.

  •  Enhancements to the Audit Trail Cleanup Process
    (Oracle has added several enhancements to the audit trail cleanup process, e.g. set maximum size and age for os audit trails, mobe audit trail from SYSTEM tablepace, purge audit trail records in one operation or purge job, timestamp audit trail records based on their archive date)
  • Enhancements to Directory Objects
    (Execute Privilege for Directory Objects. Since Oracle 11.1.0./10.2.0.5 it is possible to run OS commands via external tables. This privilege allows to restrict the execution of OS commands.
    Auditing of directory objects „AUDIT EXECUTE ON DIRECTORY rds_dir BY ACCESS;“)
  • Enhancements to Fine-Grained Access to External Network Services
    (utl_http supports azon Simple Storage Service (S3) scheme,
    support for IPv6)
  • Global Application Contexts Available Across Oracle RAC Instances
  • Secure Sockets Layer (SSL) Version 2 Support Change
    (SSL is no longer included in the default list of default supported protocols)
  • Tablespace Master Key Rekey: Changing the Encryption Key Password
    (To fullfil the PCI DSS requirements it is now possible to rotate the encryption key)

Some features are deprecated with this version of Oracle:

  • DB_EXTENDED Setting for the AUDIT_TRAIL Parameter Deprecated
    (instead use the DB,EXTENDED string)
  • WKUSER Role and Ultra Search Schemas Deprecated
    (The WKUSER role and the schemas WKSYS, WKTEST, WKPROXY have been deprecated)
  • Database Configuration Assistant No Longer Provides Default Security Settings
    (Audit options and password policies are automatically added to the database if you use DBCA)
  • ALTER USER Clause AUTHENTICATED USING PASSWORD Deprecated
    (btw „IDENTIFIED BY VALUES is still undocumented, see Oracle documentation)
  • Password for the listener.ora File Deprecated
    (According to Oracle it is no longer needed and will be removed in Oracle 12)

Oracle 11.2.0.1.0 is available for download

Dienstag, September 1st, 2009

I just saw on OTN that Oracle 11.2.0.1.0 is out.

New possibility for new security bugs 😉