Critical Patch Updates and Security Alerts

PRODUCTS

Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

TECHNOLOGIES

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Technologies A-Z

ARCHITECTURE

Enterprise 2.0
Grid
Service-Oriented Architecture
Virtualization

COMMUNITY

Join OTN
Oracle ACEs
Oracle Mix
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

Printer View

E-mail this page

Bookmark

Critical Patch Updates and Security Alerts

Critical Patch Updates
Security Alerts
Public Vulnerabilities Fixed
Policies
Reporting Security Vulnerabilities
References

This page lists security patches, in the form of Critical Patch Updates (CPUs) and Security Alerts, that Oracle has released. The page is updated when new Critical Patch Updates and Security Alerts are released, and it is possible to receive notification of releases by email.

Click here for instructions on how to configure email notifications.
Click here to read the Technical White Paper, "Critical Patch Update Implementation Best Practices"

Critical Patch Updates

Critical Patch Updates are the primary means of releasing security fixes for Oracle products to customers with valid support contracts. They are released on the Tuesday closest to the 15th day of January, April, July and October. The next four dates are:

14 July 2009
13 October 2009
12 January 2010
13 April 2010

A pre-release announcement will be published on the Thursday preceding each CPU release.

The Critical Patch Updates released to date are listed in the following table. Please note that starting with the January 2008 CPU, the Critical Patch Update Advisory will only be posted on OTN and will no longer be posted on MetaLink or Customer Connection.

Critical Patch Update	MetaLink Note ID	Latest Version/Date
Critical Patch Update - April 2009	No MetaLink copy	Rev 3, 22 April 2009
Critical Patch Update - January 2009	No MetaLink copy	Rev 4, 23 March 2009
Critical Patch Update - October 2008	No MetaLink copy	Rev 3, 05 March 2009
Critical Patch Update - July 2008	No MetaLink copy	Rev 3, 05 March 2009
Critical Patch Update - April 2008	No MetaLink copy	Rev 4, 22 May 2008
Critical Patch Update - January 2008	No MetaLink copy	Rev 1, 15 January 2008
Critical Patch Update - October 2007	455284.1	Rev 1, 16 October 2007
Critical Patch Update - July 2007	432865.1	Rev 2, 19 July 2007
Critical Patch Update - April 2007	420055.1	Rev 2, 18 April 2007
Critical Patch Update - January 2007	403335.1	Rev 2, 05 March 2007
Critical Patch Update - October 2006	391558.1	Rev 4, 06 March 2006
Critical Patch Update - July 2006	372927.1	Rev 1, 18 July 2006
Critical Patch Update - April 2006	360044.1	Rev 1, 18 April 2006
Critical Patch Update - January 2006	343382.1	Rev 1, 17 January 2006
Critical Patch Update - October 2005	333953.1	Rev 2, 19 December 2005
Critical Patch Update - July 2005	311034.1	Rev 1, 12 July 2005
Critical Patch Update - April 2005	301040.1	Rev 2, 13 April 2005
Critical Patch Update - January 2005	293953.1	Rev 2, 15 March 2005

Security Alerts

Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2005 are listed in the following table. Click here for Security Alerts released before 2006.

Security Alert Number And Description	Latest Version/Date
Alert for CVE-2008-3257	Rev 3, 05 March 2009

Public Vulnerabilities Fixed

The Map of Public Vulnerability to Advisory/Alert indicates which public vulnerabilities are fixed in each Critical Patch Update and Security Alert.

Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the severity of the CPU or Security Alert and the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code (or "proof of concept code") for vulnerabilities in our products.

Oracle's policy and process for fixing security vulnerabilities explains the security vulnerability fixing lifecycle, including the correlation between Critical Patch Updates, patch sets and new releases.

MetaLink Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products.

Reporting Security Vulnerabilities

If you are an Oracle customer or an Oracle partner, please use MetaLink to submit a Service Request on any potential Oracle product security vulnerability. Otherwise, please email secalert_us@oracle.com with your discovery. We encourage people who wish to contact Oracle Security to employ email encryption, using our encryption key.

References

Oracle Software Security Assurance web site

E-mail this page

Printer View

	About Oracle \| \| Careers \| Contact Us \| Site Maps \| Legal Notices \| Terms of Use \| Privacy