Am 08.08.2013 18:02, schrieb Terry Bohaning:
Patch IR CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
119213 26 < 27 RS- 547 NSS_NSPR_JSS 3.13.1: NSPR 4.8.9 / NSS 3.13.1 / JSS 4.3.2
What concerns me are the lines similar to patch 119213 where the age exceeds
the last set of patches that were installed.
Thanks a lot to Neil for the excellent explanation!
As far as 119213 is concerned, I can provide a few more details. Until
2013-04-21 there were two revisions of this patch - 119213-26, which was
marked "Recommended" but already obsoleted by 119213-27, since its
publication date of 2012-02-08.
In the patchdiag.xref file from 2013-04-22, 119213-26 disappeared and
119213-27 was marked "Recommended".
So on that day Oracle decided to include revision 27 in the set of
recommended patches, although it was out for more than a year at that
time. The mechanics behind such decisions are unclear and undocumented.
In that special case it's especially strange, as revision 27 includes
these fixes:
13341290 DIS-TRUST DIGINOTAR ROOT CERTIFICATE
13341314 (CVE-2011-3389) RIZZO/DUONG CHOSEN PLAINTEXT ATTACK (BEAST) ON
SSL/TLS 1.0
.. which definitely sound as if they should have been "Recommended"
right after publication of the patch in 2012.
As for the auditors, it's like Neil said: You installed all recommended
patches which were recommended at that time. Sure there have been new
patches and recommendations after that time, but that's something to fix
in the next patch cycle.
hth,
Martin.
