Oracle just released the CPU for October 2008. This time Oracle fixed 36 security bugs across all products. Oracle recommends to apply this CPU with the following words
„Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible.“
The credits are going to the usual suspects: Esteban, Joxean, Pete, Slavik, Amichai plus a few new people like Chris Valasek, Jack Kanter, Tony Fogarty, Guy.
Oracle fixed 4 of my vulnerabilities with this CPU. Some of my issues were reported in 2005…
- SQL INJECTION IN UPGRADE SCRIPT EXFEAPVS.SQL (CVE-2008-3980)
- OLAP_USER HAS CREATE PUBLIC SYNONYM PRIVILEGE (CVE-2008-2624)
- jdeveloper: plaintext password in IDEConnections.xml (CVE-2008-2588)
- SHUTDOWN ANY UNPROTECTED TNS LISTENER VIA REPORTS SERVLET (CVE-2008-2619)
I will release advisories within the next few days.