July 2006 Critical Patch Update Released
By Eric P. Maurice on Jul 18, 2006
Hello, this is Eric Maurice, Manager for Security in Oracle's Global Technology Business Unit.
Today, Oracle released its seventh Critical Patch Update (CPUJul2006). As previously introduced by Darius Wiles in his blog entry in April, the Critical Patch Update Process, initiated in early 2005, provides for Oracle to release patches for all of its products on a quarterly basis.
The Critical Patch Update Process is part of Oracle�s Software Security Assurance, a comprehensive program, which reflects Oracle�s ongoing commitment to security for all its products in all phases of development and support. Did you know, for example, that every day, we run hundreds of thousands of various tests against Oracle�s products? The results of these tests often contribute to enhance our development best practices (Oracle�s Secure Coding Standards), which are enforced across our entire development organization.
Today�s Critical Patch Update includes sixty-five new fixes for various versions of Oracle Database, Database Client, Application Server, Collaboration Suite, E-Business Suite and Applications, Enterprise Management, JD Edwards and PeopleSoft. Siebel has not yet been migrated into the Critical Patch Update Process, but we expect Siebel will be included in the next patch update on October 17, 2006.
It is worth mentioning that this Critical Patch Update also introduces changes to the documentation structure for Oracle Server Technology products; namely, the Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle Enterprise Manager Grid Control.
Previously, Critical Patch Update advisories linked to Pre-Installation Notes (PINs) for each product suite. Each PIN listed the patch or patches that were required for each combination of product version and operating system, and the known issues for all patches.
Starting with today�s Critical Patch Update, the patch lists for the Oracle Server Technology products will be consolidated into a single document called the "Critical Patch Update Availability for Oracle Server and Middleware Products". The known issues have been moved into the README files that are bundled in the patches. Each README file only contains information relevant to the patch in which it is bundled, e.g. the Oracle Database 10.2.0.2 for Linux README only contains information relevant to the Oracle Database 10.2.0.2 for Linux patch.
This change was introduced to make it easier to access information that is relevant to specific product version and operating system. MetaLink Note 372928.1 (subscription to MetaLink is required to access this document) provides a roadmap to the Oracle Critical Patch Update July 2006 documentation.
As usual, detailed information about the vulnerabilities addressed in this Critical Patch Update can be found on the Risk Matrices available with the CPU advisory on Oracle Technology Network at http://www.oracle.com/technology/deploy/security/alerts.htm.
Timely patch application is a critical component of good security management practices regardless of platforms and technical environments. Some time ago, Oracle posted a good white paper titled �Learn Critical Patch Update Implementation Best Practices� on http://www.oracle.com/security/index.html under the �Learn More� section. This technical white paper provides tips and guidelines for IT staff specifically as it relates to the planning and implementation of updates in an Oracle environment. This white paper is a good starting point for those who are new to Oracle�s Critical patch Update process or have questions related to how to best deal with updating their Oracle systems.