Oracle has issued a
major
patch release covering 85 vulnerabilities in its software.
The patch fixes a number of serious flaws, including one buffer overflow
vulnerability, 17 PL/SQL injection vulnerabilities in Oracle Database 10g and
Oracle9i Database Server, and flaws in the Oracle Reports Server used in 23
applications.
The patch also includes non-security fixes that are needed because of the
security patches.
Security firm Secunia
has issued an
advisory on the problems and rates the flaws as 'moderately critical'. It
urges users to patch as soon as possible.
"The new database vulnerabilities addressed by this critical patch update do
not affect Oracle Database Client-only installations that do not have the Oracle
Database Server installed," said Oracle in a statement.
"Therefore, it is not necessary to apply this critical patch update to
client-only installations if a prior critical patch update, or Alert 68, has
already been applied to the client-only installations."
Oracle has come in for severe criticism from security
specialists over the time it takes to patch vulnerabilities. In some cases the
company has taken two years to issue a vulnerability patch after it was
reported.
Do you agree?
Have your say on this article