April 18, 2007 11:28 AM PDT

Oracle to be more selective in patch development

Oracle plans to stop automatically producing security patches for all systems its software runs on, instead creating fixes for uncommon combinations on request, the company said Tuesday.

The various versions of Oracle's database software and business applications run on a wide variety of operating systems. The Redwood City, Calif.-based company has been releasing security fixes for the bulk of those. That's changing with its next scheduled patch release in July because some fixes were seldom downloaded, it said.

"There are certain platform and version combinations that historically have been inactive," Eric Maurice, a manager for security at Oracle, wrote on a corporate blog. "Instead of systematically creating (updates) for those inactive combinations, we will only produce those patches if clients specifically request them."

Oracle will continue to include the fixes in the main code and future releases of the applicable software programs, as well as in "patch sets," which are product updates that include more than just security fixes.

Oracle announced the change in its patch plans at the same time it put out its April fixes. The "Critical Patch Update" offers fixes for 36 vulnerabilities across Oracle's products, including 14 in the company's widely used database software. Several of the vulnerabilities could be exploited remotely by an anonymous attacker, Oracle said.

"Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," Oracle said in a security advisory.

However, some Oracle customers using the Windows operating system will have to wait until April 30 for the database fixes. Oracle doesn't yet have an update for release of its database software running on Windows because of quality issues, a company representative said.

Oracle's next Critical Patch Update is on July 17.

See more CNET content tagged:
Oracle Corp., database software, fix, combination, database

1 comment

Join the conversation!
Add your comment
They need to be more responsible
Patch as required.

When a critical flaw is found... patch it within 24 hours.

When a non-critical flaw is found... patch it within 72 hours.

It's "Responsibility"... NOT "Selectivity" that is needed!!!

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.