Critical Patch Updates, Security Alerts and Third Party BulletinSecurity Alerts Chicklet



This page lists announcements of security fixes made in Critical Patch Update Advisories and Security Alerts, and it is updated when new Critical Patch Update Advisories and Security Alerts are released. It is possible to receive notification of new announcements by email, as explained in the page linked below. Security fixes in third party products distributed with Oracle products are announced in the Third Party Bulletin, whose purpose and location is explained below.

 Click here for instructions on how to configure email notifications.
 Click here to read the Technical White Paper, "Critical Patch Update Implementation Best Practices"

This page contains the following sections:

Critical Patch Updates
Security Alerts
Third Party Bulletin
Public Vulnerabilities Fixed
Policies
Reporting Security Vulnerabilities
References

Critical Patch Updates

Critical Patch Updates are collections of security fixes for Oracle products. They are available to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 14 October 2014
  • 20 January 2015
  • 14 April 2015
  • 14 July 2015

Starting with the October 2013 Critical Patch Update, security fixes for Java SE are released under the normal Critical Patch Update schedule.

A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.

The Critical Patch Updates released to date are listed in the following table.

Critical Patch Update Latest Version/Date
Critical Patch Update - July 2014
Rev 2, 24 July 2014
Critical Patch Update - April 2014
Rev 2, 28 April 2014
Critical Patch Update - January 2014
Rev 1, 14 January 2014
Critical Patch Update - October 2013
Rev 4, 22 November 2013
Critical Patch Update - July 2013
Rev 4, 11 September 2013
Critical Patch Update - April 2013
Rev 1, 16 April 2013
Critical Patch Update - January 2013 Rev 2, 17 January 2013
Critical Patch Update - October 2012 Rev 1, 16 October 2012
Critical Patch Update - July 2012 Rev 1, 17 July 2012
Critical Patch Update - April 2012 Rev 2, 19 July 2012
Critical Patch Update - January 2012 Rev 3, 23 January 2012
Critical Patch Update - October 2011 Rev 3, 20 October 2011
Critical Patch Update - July 2011 Rev 7, 15 December 2011
Critical Patch Update - April 2011 Rev 5, 12 May 2011
Critical Patch Update - January 2011 Rev 3, 1 February 2011
Critical Patch Update - October 2010 Rev 1, 12 October 2010
Critical Patch Update - July 2010 Rev 1, 13 July 2010
Critical Patch Update - April 2010 Rev 1, 13 April 2010
Critical Patch Update - January 2010 Rev 2, 04 February 2010
Critical Patch Update - October 2009 Rev 1, 20 October 2009
Critical Patch Update - July 2009 Rev 3, 03 September 2009
Critical Patch Update - April 2009 Rev 4, 03 September 2009
Critical Patch Update - January 2009 Rev 4, 03 September 2009
Critical Patch Update - October 2008 Rev 3, 03 September 2009
Critical Patch Update - July 2008 Rev 3, 05 March 2009
Critical Patch Update - April 2008 Rev 4, 22 May 2008
Critical Patch Update - January 2008 Rev 1, 15 January 2008
Critical Patch Update - October 2007 Rev 1, 16 October 2007
Critical Patch Update - July 2007 Rev 2, 19 July 2007
Critical Patch Update - April 2007 Rev 2, 18 April 2007
Critical Patch Update - January 2007 Rev 2, 05 March 2007
Critical Patch Update - October 2006 Rev 4, 06 March 2006
Critical Patch Update - July 2006 Rev 1, 18 July 2006
Critical Patch Update - April 2006 Rev 1, 18 April 2006
Critical Patch Update - January 2006 Rev 1, 17 January 2006
Critical Patch Update - October 2005 Rev 2, 19 December 2005
Critical Patch Update - July 2005 Rev 1, 12 July 2005
Critical Patch Update - April 2005 Rev 2, 13 April 2005
Critical Patch Update - January 2005 Rev 2, 15 March 2005

The following table includes Critical Patch Updates for Oracle Java SE.

Java SE Critical Patch Update Latest Version/Date
Java SE Critical Patch Update - June 2013
Rev 1, 18 June 2013
Java SE Critical Patch Update - April 2013
Rev 1, 16 April 2013
Java SE Critical Patch Update - February 2013 - Special Update Rev 1, 19 February 2013
Java SE Critical Patch Update - February 2013 Rev 2, 07 February 2013
Java SE Critical Patch Update - October 2012 Rev 1, 16 October 2012
Java SE Critical Patch Update - June 2012 Rev 1, 12 June 2012
Java SE Critical Patch Update - February 2012 Rev 3, 17 May 2012
Java SE Critical Patch Update - October 2011 Rev 1, 18 October 2011
Java SE Critical Patch Update - June 2011 Rev 1, 07 June 2011
Java SE and Java for Business Critical Patch Update - February 2011 Rev 1, 15 February 2011
Java SE and Java for Business Critical Patch Update - October 2010 Rev 1, 12 October 2010
Java SE and Java for Business Critical Patch Update - March 2010 Rev 3, 08 April 2010


Security Alerts

Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2005 are listed in the following table. Click here for Security Alerts released before 2006. Security Advisory Notifications prior to July 2008 for BEA products are located here. Security Sun Alert notifications prior to April 2010 for Sun products are located here.

Security Alert Number And Description Latest Version/Date
Alert for CVE-2014-7169 Bash Rev 3, 28 September 2014
Alert for CVE-2014-0160 OpenSSL "Heartbleed" Rev 1, 18 April 2014
Alert for CVE-2013-1493 Rev 1, 04 March 2013
Alert for CVE-2013-0422 Rev 1, 13 January 2013
Alert for CVE-2012-4681 Rev 1, 30 August 2012
Alert for CVE-2012-3132 Rev 1, 10 August 2012
Alert for CVE-2012-1675 Rev 3, 20 June 2014
Alert for CVE-2011-5035 Rev 2, 29 March 2012
Alert for CVE-2011-3192 Rev 1, 15 September 2011
Alert for CVE-2010-4476 Rev 1, 08 February 2011
Alert for CVE-2010-0886 Rev 2, 18 May 2010
Alert for CVE-2010-0073 Rev 1, 04 February 2010
Alert for CVE-2008-3257 Rev 3, 05 March 2009

Third Party Bulletin

Oracle has no control over the timing and content of security fixes created by third parties. Consequently, the Third Party Bulletin, rather than Oracle Critical Patch Update Advisories and Security Alerts has been used by Oracle as a mechanism to announce security fixes for third party software distributed with various Oracle Sun products.

The Third Party Patch Map lists security patches announced for third party software organized by Oracle products.

 

Public Vulnerabilities Fixed

The Map of Public Vulnerability to Advisory/Alert indicates which public vulnerabilities are fixed in each Critical Patch Update and Security Alert.

 


Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update or a Security Alert. The results of the security analysis are reflected in the Critical Patch Update or Security Alert and the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on Critical Patch Update or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code (or "proof of concept code") for vulnerabilities in our products.

Oracle's policy and process for fixing security vulnerabilities explains the security vulnerability fixing lifecycle, including the correlation between Critical Patch Updates, patch sets and new releases.

My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products.


Reporting Security Vulnerabilities

Refer to the guidelines on Oracle Software Security Assurance web site for reporting security vulnerabilities.


References