Hi, this is Eric Maurice.
In a previous blog entry, we invited customers to provide feedback in regards to the content of the Critical Patch Update advisory for Oracle Sun products. Such feedback is very valuable, and continues to drive the definition of Oracle Software Security Assurance policies.
As a result of the feedback received, Oracle has updated its policies to include the mapping of each vulnerability's CVE number to the particular Solaris package patch version (patchid), in all future Solaris CPU Patch Availability Documents. The updated policy will be effective with the October 2010 Critical Patch Update onward.
With the Critical Patch Update, Oracle's objective is to positively influence the security posture of all customers by providing the most effective vulnerability remediation program in the industry. This means not only producing effective, fully tested, security patches on all supported platform and version combinations every quarter, but also providing sufficient information about the newly-fixed vulnerabilities to enable customers to make proper patching decision and effectively manage their security management costs.
For More Information: