The Oracle Global Product Security Blog

Hello, this is Duncan Harris again.  Starting with the October 2006 CPU, Oracle enhanced its Critical Patch Update (CPU) documentation to include executive summaries and CVSS ratings to help customers quickly assess the criticality of the security flaws addressed in the CPU.  Starting today, for the January 2007 CPU, Oracle will also publish a summary of the CPU documentation prior to the CPU release date, called a CPU Pre-Release Announcement, in order to further help customers plan for their forthcoming patching effort.

Each CPU Pre-Release Announcement will provide the following information:

• Name and version numbers of the Oracle products affected by new vulnerabilities that are fixed in the CPU
  
• Specific product components affected
  
• How many vulnerabilities we are fixing in total and in each suite
  
• The CVSS base score of the most severe vulnerability in total and in each suite
  
• And, potentially, any other information that may be relevant to help organizations plan for the application of the CPU in their environment

While Oracle will try to make CPU Pre-Release Announcements as accurate as possible at the time of their publication, the information they contain may change before the actual publication of the CPU.

The January 2007 Critical Patch Update will be released on Tuesday, January 16^th at 1:00 PM Pacific Time (9:00 PM GMT).  The Critical Patch Update Pre-Release Announcement can be found online on the Critical Patch Update and Security Alerts page on Oracle Technology Network.

It is our hope that these Pre-Release Announcements will become valuable tools to help security professionals analyze the criticality of the forthcoming CPUs and brief their management to obtain any necessary approvals for a timely application of the CPUs.