Oracle has recently published the Pre-Release Announcement for the CPU Patch. This Critical Patch Update contains 56 new security vulnerability fixes for several Oracle products. 4 of these fixes are just for the Oracle Database Server, but none of them is for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 6.5, which is high but not critical. The following Database Server Products are affected.
- Application Express
- Core RDBMS
- Database Vault
- Oracle Text
So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (18.104.22.168), Oracle Database 11g Release (22.214.171.124), Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5) and Oracle Database 10g Release 1 (10.1.0.5). There seems to be no CPU patch for 126.96.36.199.
The official release for the CPU / PSU is planned for next week 18 October 2011. More details about the patch will follow soon on the Oracle Security Pages: