Arthur T Knackerbracket has found the following story:
Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle's previous all-time high for number of patches issued, in July 2019. This overtook its previous record of 308 in July 2017.
The company said in a pre-release announcement that some of the vulnerabilities affect multiple products.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible," it added.
The updates include fixes for Oracle's most widely deployed products, including the Oracle Database Server (12 patches total, three remotely exploitable without authentication); Oracle Communications Applications (25 patches, 23 remotely exploitable without authentication, six critical); Oracle Enterprise Manager (50 patches, 10 remotely exploitable without authentication, four critical); Oracle Fusion Middleware (38 patches, 30 remotely exploitable without authentication, three critical); 19 new security patches for Oracle MySQL (19 patches, six remotely exploitable without authentication); and the Oracle E-Business Suite (23 patches, 21 remotely exploitable without authentication, two critical).
-- submitted from IRC
(Score: 2) by Hartree on Wednesday January 15 2020, @10:20PM (1 child)
At least it's better than "We may fix that in the next release" that I heard oh so many times from them in the 1990s.
(Score: 2) by MostCynical on Thursday January 16 2020, @02:10AM
Or they only patch "current" versions [itnews.com.au]
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Funny) by Anonymous Coward on Wednesday January 15 2020, @10:42PM
Since it affects multiple products, they should release some sort of interface for their applications that someone can program to. They could release this so-called application programming interface so that everybody could use and benefit from it. Win-win! How could they NOT like an approach like that?
(Score: 2) by Freeman on Wednesday January 15 2020, @11:00PM
I'm pretty sure it's much better to be scoring like golf, not like basketball.
Oh well, this way, they can show everyone that they're security conscious, just look at all the security patches we made in January 2020 and it's not even over yet!
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 4, Insightful) by Barenflimski on Wednesday January 15 2020, @11:13PM (1 child)
What happened over at Oracle? Did they simply not pay any attention to security until last quarter? Did they install a new security team that knew what they were doing?
Somewhere in their development life-cycle it seems that they need to have some sort of QA. Then again when I need a patch, it doesn't matter how secure it is as long as things start to work on day 1. Sounds to me like their code is fumbled together with a secondary review of their code coming later in the process. If this is true, I can only imagine there are oodles of systemic issues that will never be ferreted out of the system without doing a complete rewrite.
(Score: 3, Interesting) by darkfeline on Thursday January 16 2020, @04:14AM
Or more likely, they have incompetent teams fixing the security issues on legacy code bases, such that each fix introduces at least one new issue.
Join the SDF Public Access UNIX System today!
(Score: 3, Insightful) by ilsa on Thursday January 16 2020, @12:00AM (2 children)
I'm very curious to know how many customers they even still have. I haven't heard of anyone moving TO Oracle in years, and I've heard of plenty that were moving away as quick as their contracts would let them.
I'm guessing the only ones left are companies who are so deeply invested that it would cost them more to move than to pay Oracle's outrageous licensing fees.
(Score: 3, Interesting) by edIII on Thursday January 16 2020, @12:58AM (1 child)
Check the products though. There at least three in there that are, more or less, open source. MySQL, Java SE, and VirtualBox. I use PostgreSQL and OpenJDK, but the version of VirtualBox I'm running right now is vulnerable somehow.
Depending on server version, this may impact quite a large number of installations of MySQL and Java SE.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday January 16 2020, @06:55PM
anyone who is not using MariaDB instead is an asshat.