Oracle (Quote) Tuesday issued its third critical patch update for 2007, fixing 45 security issues across its Database, Application Server, Collaboration Suite, E-Business Suite, PeopleSoft and JD Edwards product lines.
With 17 patches, Oracle Database products top the fix list for security concerns, two of which are remotely exploitable without user authentication.
Oracle E-Business Suite received 14 patches, six of which are remotely exploitable. Collaboration Suite received five security fixes, with four remotely exploitable. Oracle Application Server needed four patches, three of which are remotely exploitable without user authentication. Oracle Application Express totaled one patch.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne needed seven total fixes, only one of which is remotely exploitable without authorization.
The July Critical Patch Update (CPU) is the 11th such update since Oracle began the patch cycle initiative in 2004.
The patch cycle notifications continue to get more detailed. For example, in October 2006, Oracle began to detail which flaws were remotely exploitable without authentication. In this update, Oracle in adding the napply CPU (pronounced "en apply").
In a blog post Eric Maurice, manager for security in Oracle's global technology business unit, explained that the napply CPU is an enhanced CPU format for Oracle Database Server for Unix and Linux platforms version 10.2.0.3 and onward (including 10.2.0.4 and 11g).
"In a napply CPU, the security fixes are now grouped in what are called molecules," Maurice wrote on the Oracle Global Product Security blog.
"Each molecule in the CPU is independent, and does not conflict with other molecules in the CPU. Conflicts between molecules occur when fixes included respectively in each molecule affect the same file or group of files. The napply CPU is for the benefit of customers who encounter merge conflicts when installing CPU patches."
Though Maurice noted that most Oracle customers never encounter such conflicts, the new CPU format should simplify patch conflict resolution procedures.
The July total for vulnerabilities is above the 36 flaws that Oracle fixed in its last CPU, which came out in April.