As announced yesterday in my post Oracle CPU / PSU Pre-Release Announcement October 2013, Oracle has now released the last Critical Patch Updates for 2013. Overall this CPU contains 126 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 security fixes with a rather medium CVSS rating. Although the Core RDBMS is affected, it is probably not necessary to run a fire drill. If you have planned to patch anyway, it makes sense to consider the latest PSU or SRU. And if you plan to install Oracle 11.2.0.4.0 patch set, this critical patch update can even be skip, since there is no PSU or SPU for 11.2.0.4 available. According to the patch read-me, it seems that CVE-2013-5771 is fixed in 11.2.0.4. But I can’t confirm this, because I could not find a Bug-ID to compare.
By the way, Oracle has changed a few thing in database security patching for 12c. They will not publish any separate security patch updates (SPU) anymore but solely patch set update (PSU)
CPU Release Dates
The next four Critical Patch Updates will be released at the following dates:
- 14 January 2014
- 15 April 2014
- 15 July 2014
- 14 October 2014
References
Links all around Critical Patch Update:
- Oracle Critical Patch Update Advisory – October 2013
- Patch Set Update and Critical Patch Update October 2013 Availability Document [1571391.1]
- Oracle Critical Patch Update October 2013 Documentation Map [1569424.1]
- Critical Patch Update October 2013 Database Known Issues [1571655.1]
- Critical Patch October 2013 Database Patch Security Vulnerability Molecule Mapping [1571653.1]
- Oracle Critical Patch Updates and Security Alerts on OTN