Oracle just released the [1] CPU for October 2008. This time Oracle fixed 36 security bugs across all products. Oracle recommends to apply this CPU with the following words

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible.”

The credits are going to the usual suspects: Esteban,  Joxean, Pete, Slavik, Amichai plus a few new people like Chris Valasek, Jack Kanter, Tony Fogarty, Guy.

Oracle fixed 4 of my vulnerabilities with this CPU. Some of my issues were reported in 2005…

• SQL INJECTION IN UPGRADE SCRIPT EXFEAPVS.SQL (CVE-2008-3980)
• OLAP_USER HAS CREATE PUBLIC SYNONYM PRIVILEGE (CVE-2008-2624)
• jdeveloper: plaintext password in IDEConnections.xml (CVE-2008-2588)
• SHUTDOWN ANY UNPROTECTED TNS LISTENER VIA REPORTS SERVLET (CVE-2008-2619)

I will release advisories within the next few days.