Oracle just released their latest [1] Oracle Critical Patch Update (CPU) January 2008. As promised in the prelease announcement the patch contains 8 fixes for the database itself. As usual most of the vulnerabilities are coming from the usual suspects (Esteban, Joxean, David, Alex) and some other people like Pete Finnigan, Mariano Nunez Di Croce, Ali Kumcu and Alexandr Polyakov.

According to an email from Oracle secalert they fixed 7 of my vulnerabilities (tracking numbers: 6980733, 7520291, 9675443, 9675563, 9675681, 9675695, 9675857) but they mapped them to DB05, DB04 and DB02.

The highest database CVSS rating of 6.5 has DB01.
DB02, DB03, DB04 and DB05 are SQL Injection vulnerabilities allowing privilege escalation.

The highest application server CVSS ratings of 9.3 are 2 bugs (AS01, AS02) in Oracle Jinitiator 1.1.8.26 and 1.3.1.27 and affects clients only.

Other interesting information are described in the Metalink note [2] 466757.1. With this CPU it is necessary to recompile ALL Views to fix the [3] “VIEW” problems fixed with Oracle CPU July/October 2007.