[pca] Incorrect permissions in prepatch for 121118-19
Martin Paul
martin at par.univie.ac.at
Fri Nov 25 13:18:15 CET 2011
laurent at elanor.org wrote:
> However, I believe we are hitting a fundamental flaw of the Oracle patch
> download system here:
>
> If you go back to my previous email with the debug run, the request for
> the patch is secure: https://updates.oracle.com/all_unsigned/121118-19.zip
>
> If the patch were *really* downloaded as httpS, then the proxy would not
> be able to tamper with it.
> BUT that https link then redirects to an http one, and the actual
> download is clear-text.
Hm, you're right. Looking at the log from my proxy server, this seems to have
changed in July with the last changes to Oracle's backend structure:
Before, patches came from https://a248.e.akamai.net/, but since that change it
is now either http://aru-llnw-dl.oracle.com/ or http://aru-akam.oracle.com/. So
the actual patch download silently switched from HTTP to HTTPS.
Martin.
More information about the pca
mailing list