Skip to main content

Create CVE links on Oracle CPU Page

As you probably know oracle releases CPUs (Critical Patch Updates) in every 3 month now. If you have ever read any of these CPU Advisories you know it does not make too much sense to read these. But they exist. Since CPUJul2008 Oracle replaced its internal numbering (like DBnn) with CVE (Common Vulnerabilities and Exposures) numbering. Does it make any sense? In my opinion it would but it does not in this way. These CVEs does NOT contain any really useful information. The CVE database is an open database anybody can access. If they are using CVE numbers why Oracle not creating links from the Advisory page to the CVE pages? Would not it be more comfortable just to click on a link if you are interested in details instead of searching for CVE numbers manually? I think the missing link is the confession of how useless this numbering is in case of Oracle. If you read a CPU Advisory released after Jul 2008 you will find CVE numbers before every identified security bug but if you want to check the CVE you have to find it by hand and you will find no more info even on that page. So it does not make much sense because the CVE has NO useful info in it but here is a VERY SIMPLE GreaseMonkey script which inserts two links after the CVE you can click on and immediately check the "details" of the CVE.
But I repeat the CVE links are not in the CPU Advisory because the CVE does NOT contain any relevant info about the security problem.
I hope it will change in the near future and CVE or CPU will give us some useful detail.

// ==UserScript==
// @name          Oracle CPU Risk Matrix CVE- Link Creator
// @namespace     http://tamastarjanyi.blogspot.com/
// @description   Replaces simple CVE text on Oracle CPU pages (Like http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html ) to links
// @include       http://*.oracle.com/*
// ==/UserScript==


if (!GM_xmlhttpRequest) {
alert('Please upgrade to the latest version of Greasemonkey.');
}
var  tds=document.getElementsByTagName("td");
var cve=false;
for (i in tds){
if (tds[i].innerHTML.match("CVE-[0-9][0-9][0-9][0-9]-") ){
  cve=true;
  var cvetext=tds[i].innerHTML;
  tds[i].innerHTML=cvetext+" (<a target=_blank href=http://cve.mitre.org/cgi-bin/cvename.cgi?name="+cvetext+">mitre</a> | <a target=_blank href=http://nvd.nist.gov/nvd.cfm?cvename="+cvetext+">nvd</a> )";
}
}

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Insufficient Disk Space reported under wine

Did you try to install/setup any Windows Application - actually a Game what else could be necessary - and got a message that you do not have enough free space on your drive meanwhile you had lot of free space on the chosen mounted partition? You will learn the problem and hopefully the solution too. (Of course I suppose it is not the real situation you have no enough space. If so do not read ahead.) The problem is that wine does not check the amount of free space on the mounted partition corresponds to the selected directory but reports the free on the root of the directory the partition mounted to . ;( Probably it is not clean so here is an example: Let say you have / only and something is mounted as /mnt/part1 If you directly select /mnt/part1 during installation wine will check free space in fact on / and does not calculate free on the partition mounted under /mnt/part1. How to solve it you may ask? It is easy. Start winecfg and create a new drive with the directory you want to use....
Post a Comment
Read more

User based queue mapping for Capacity Scheduler

When I  started to use Capacity Scheduler hierarchical queue features on top of Hortonworks' HDP 2.0 I have immediately realized that I need automatic assignment of job to queue based on username. Sounds easy and useful? Yes! But could not find any configuration parameter and example for that. I found only references to use mapred.job.queuename config option. This can be configured in HIVE via set mapred.job.queuename=yourqueue or using -Dmapred.job.queuename=yourqueue as a hadoop command argument. After some hours of unavailing googling I have checked the corresponding code part and have been shocked. This is available only since HADOOP-2.6 (HDP-2.2). Check YARN-2411 for details. According to the CHANGELOG this is a relatively new feature. So sadly this is not available to me until an upgrade. :( See below an example based on YARN-2411 to use it in Hadoop 2.6 or higher for Hortonworks HDP-2.2 1. user1 is mapped to queue1, group1 is mapped to queue2: yarn.schedul...
Post a Comment
Read more

Ansible ec2 module "region must be specified" issue

Some month ago I made an Ansible based autoinstall for Hortonwork's HDP 2.2. Since HDP 2.2.4.2 is out I wanted to update my install process and test how it works. However I had to realize that my previously working ansible playbooks are failing with an error message. TASK: [Launching Ambari instance] ********************************************* failed: [localhost] => {"failed": true} msg: region must be specified FATAL: all hosts have already failed -- aborting First I have checked my ansible, eucalyptus and boto config. However everything was fine. So I have checked the code of the ec2 module of ansible and found the error message in the source. # tail -n +1205 /usr/share/pyshared/ansible/modules/core/cloud/amazon/ec2.py|head -17 ec2 = ec2_connect(module) ec2_url, aws_access_key, aws_secret_key, region = get_ec2_creds(module) if region: try: vpc = boto.vpc.connect_to_region( region, aws_access_key_id=aws_access_key, aws_secret_access_key=aws_secr...
Post a Comment
Read more