2011-12-08 17:23:11 UTC
I've got a rather big annoyance to deal with those days.
I need PCI-DSS compliance for my systems, and that includes knowing
about vulnerabilities, and applying critical patches one month after
In that aspect, things have changed drastically since Oracle took
over. I think I've already complained about those patches whose
synopsis is «Problem with xxx».
Basically, now Oracle will only lists which CVE are fixed by which
patches in its Critical Patch Update, which is a quarterly result.
The fix itself might have been released in a patch long before, just
it was done without any information letting us know what it fixes.
I opened a case and been told it's just policy, so I can go google myself.
Even more impractical: those CPU things, such as the one below, only
lists «Solaris proper» vulnerabilities:
The «Open Source Stuff» gets its own blog, which is updated regularly
(but not quite perfect, the Search is broken):
I am letting my salespeople know that I am not happy about this. It
means there's no way for me to know what patches are critical or not.
Are some of you dealing with that already? I'd be very interested to
have some hints on any practical way to follow those things without
Please check the Links page before posting:
Post message: ***@yahoogroups.com