38 replies to this topic

[AplusWebMaster]

FYI...

Oracle Critical Patch Update Advisory - July 2010
- http://www.oracle.co...cpujul2010.html
2010-July-13 - "... Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 59 new security fixes..."
(More details at the URL above.)

- http://www.us-cert.g..._patch_update13
"... security fixes:
• 6 for Oracle Database Server
• 2 for TimesTen In-Memory Database
• 5 for Oracle Secure Backup
• 7 for Oracle Fusion Middleware
• 1 for Oracle Enterprise Manager
• 7 for Oracle E-Business Suite
• 2 for Oracle Supply Chain Products Suite
• 8 for Oracle PeopleSoft and JDEdwards Suite
• 21 for Oracle Sun Products Suite ..."

- http://www.securityt...mmary/9000.html
2010-07-13 // 2010-07-14 - Oracle...
- http://www.securityfocus.com/
2010-07-13 // 2010-07-14 - Oracle...

Edited by AplusWebMaster, 14 July 2010 - 10:21 AM.

[AplusWebMaster]

FYI...

Oracle - GNOME Display Manager password disclosure weakness
- http://isc.sans.edu/...ml?storyid=9277
Last Updated: 2010-07-28 19:00:11 UTC - "According to this announcement:
http://secunia.com/advisories/40780/ ... "The problem is that passwords may in certain cases be logged to "/var/log/messages" while running GNOME Display Manager in debug mode (disabled by default)" This was originally reported on 02-15-2009 here:
https://bugzilla.gno...g.cgi?id=571846
A patch was issued the same day. A "supported" patch was issued 05-14-2010. The secunia advisory did not have many details. The sunblog link provided did not have very much information.
http://blogs.sun.com...word_disclosure
The CVE is reserved and not available yet. The rest of the information is apparently "in the Customer Area”. Does this mean we can count on a "no public disclosure policy" for SUN products now that Oracle owns them?"

- http://blogs.sun.com...y/cpu_july_2010
03 Aug 2010 - "In the July 2010 Critical Patch Update, per policy, Oracle no longer provided the mapping between CVE numbers and individual patches. As a result of customer input, Oracle will provide the CVE to individual patch mapping in the July 2010 Critical Patch Update. Oracle plans to reevaluate this policy in time for the October 2010 Critical Patch Update..."

Edited by AplusWebMaster, 04 August 2010 - 08:59 AM.

[AplusWebMaster]

FYI...

81 Oracle patches...
- http://www.oracle.co...010-175626.html
Oct. 2010 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for October 2010, which will be released on Tuesday, October 12, 2010... This Critical Patch Update contains 81 new security vulnerability fixes across hundreds of Oracle products. 31 out of 81 vulnerabilities are in the Oracle Sun Products Suite..."

[AplusWebMaster]

FYI...

Oracle Critical Patch Update Advisory - October 2010
- http://www.oracle.co...010-175626.html
Oct. 12, 2010 - "... includes non-security fixes that are required (because of interdependencies) by those security patches... This Critical Patch Update contains 85 new security fixes..."

Patch Availability Table
- http://www.oracle.co...175626.html#PIN

Oracle Database Server Risk Matrix (CVE#)
- http://www.oracle.co...html#AppendixDB

Oracle Sun Products Suite Risk Matrix (CVE#)
- http://www.oracle.co...ml#AppendixSUNS

Oracle Java SE and Java for Business Risk Matrix (CVE#)
- http://www.oracle.co...ml#AppendixJAVA

- http://www.us-cert.g...tical_patch_for
"... 85 vulnerabilities across multiple products. This update contains the following security fixes:
* 7 for Oracle Database Server
* 8 for Oracle Fusion Middleware
* 1 for Oracle Enterprise Manager Grid Control
* 6 for Oracle E-Business Suite
* 2 for Oracle Supply Chain Products Suite
* 21 for Oracle PeopleSoft and JDEdwards Suite
* 4 for Oracle Siebel Suite
* 1 for Oracle Primavera Products Suite
* 26 for Oracle Sun Products Suite
* 5 for Oracle Open Office Suite
* 4 for Oracle VM ..."

Edited by AplusWebMaster, 15 October 2010 - 01:58 AM.

[AplusWebMaster]

FYI...

Oracle Solaris - multiple vulns...

- http://secunia.com/advisories/42402/
Release Date: 2010-11-29
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
Operating System: Sun Solaris 10
CVE Reference: http://web.nvd.nist....d=CVE-2010-1168
Original Advisory:
http://blogs.sun.com...ulnerability_in

- http://secunia.com/advisories/42403/
Release Date: 2010-11-29
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
Operating System: OpenSolaris 2009.06, Sun Solaris 10
CVE Reference: http://web.nvd.nist....d=CVE-2010-1623
Original Advisory:
http://blogs.sun.com...623_memory_leak

- http://secunia.com/advisories/42404/
Release Date: 2010-11-29
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Operating System: OpenSolaris 2009.06, Sun Solaris 10, Sun Solaris 9
CVE Reference: http://web.nvd.nist....d=CVE-2010-0405
Original Advisory:
http://blogs.sun.com...nteger_overflow

- http://secunia.com/advisories/42405/
Release Date: 2010-11-29
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
Operating System: Sun Solaris 8
CVE Reference: http://web.nvd.nist....d=CVE-2010-0405
Original Advisory:
http://blogs.sun.com...nteger_overflow

[AplusWebMaster]

FYI...

Oracle Critical Patch Update Advisory - January 2011
- http://www.oracle.co...011-194091.html
Jan. 18, 2011 - "... Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 66 new security fixes..."

What's New
- http://www.oracle.co...snew/index.html

- http://isc.sans.edu/...l?storyid=10291
Last Updated: 2011-01-18 21:17:51 UTC ... (Version: 2)

- http://www.us-cert.g..._patch_update14
January 19, 2011
"... This update contains the following security fixes:
7 for Oracle Database Server
16 for Oracle Fusion Middleware
2 for Oracle Enterprise Manager Grid Control
16 for Oracle Applications
3 for Oracle Supply Chain Products Suite
11 for Oracle PeopleSoft and JDEdwards Suite
2 for Oracle Industry Applications
23 for Oracle Sun Products Suite
2 for Oracle Open Office Suite ..."

- http://www.securityt....com/id?1024972 - Oracle Database - DoS vuln
- http://www.securityt....com/id?1024973 - Oracle Audit Vault - Remote vuln
- http://www.securityt....com/id?1024974 - Oracle Secure Backup - Remote vuln
- http://www.securityt....com/id?1024975 - Solaris - Remote vuln
- http://www.securityt....com/id?1024976 - OpenOffice - Remote vuln
- http://www.securityt....com/id?1024977 - Oracle Industry Apps - Remote vuln
- http://www.securityt....com/id?1024978 - Oracle PeopleSoft - Remote vuln
- http://www.securityt....com/id?1024979 - Oracle Enterprise Manager - Remote
- http://www.securityt....com/id?1024981 - Oracle Fusion Middleware - Remote
Jan 18-19 2011

Edited by AplusWebMaster, 19 January 2011 - 05:12 PM.

[AplusWebMaster]

FYI...

Oracle CPU announcement - April 2011
- http://www.oracle.co...011-301950.html
April 19, 2011 - "... This Critical Patch Update contains 73 new security fixes... Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Oracle Industry Applications and Oracle VM patches in the Critical Patch Updates are cumulative; patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents..."

- http://www.oracle.co...ml#AppendixSUNS

- http://www.oracle.co...rts-086861.html

- http://www.us-cert.g...tch_update_pre1
updated April 19, 2011
"... This update contains the following security fixes:
6 updates for the Oracle Database Server
9 updates for Oracle Fusion Middleware
1 update for Oracle Enterprise Manager Grid Control
4 updates for Oracle E-Business Suite
1 update for Oracle Supply Chain Products Suite
14 updates for Oracle PeopleSoft Products
8 updates for Oracle JD Edwards Products
3 updates for Oracle Siebel CRM
1 update for Oracle Industry Applications
18 updates for Oracle Sun Products Suite
8 updates for Oracle Open Office Suite..."
___

- http://www.informati...endly=this-page
April 18, 2011 - "... Oracle announced that it's dropping the commercial version of OpenOffice.org, turning it into a purely open source, community-driven project..."

Edited by AplusWebMaster, 20 April 2011 - 04:53 AM.

[AplusWebMaster]

FYI...

Oracle CPU Advisory - July 2011
- http://www.oracle.co...011-313328.html
July 19, 2011 - "This Critical Patch Update contains 78 new security fixes... Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Oracle Industry Applications and Oracle VM patches in the Critical Patch Updates are cumulative; patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents..."

- http://www.oracle.co...313328.html#PIN

- http://www.us-cert.g...atch_update_pre
July 19, 2011 "...This update contains the following security fixes:
• 13 for Oracle Database Server
• 3 for Oracle Secure Backup
• 7 for Oracle Fusion Middleware
• 18 for Oracle Enterprise Manager
• 1 for Oracle E-Business Suite
• 1 for Oracle Supply Chain Products Suite
• 12 for Oracle PeopleSoft and JDEdwards Suite
• 23 for Oracle Sun Products Suite..."

[AplusWebMaster]

FYI...

Oracle CPU Advisory - October 2011
- http://www.oracle.co...011-330135.html
18 October 2011 - "... Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 57 new security fixes..."

Patch Availability Table
> http://www.oracle.co...330135.html#PIN

Risk Matrix
> http://www.oracle.co...html#AppendixDB

Listed by Product
- http://www.oracle.co...ose-330139.html

- https://www.us-cert....nouncements_for
October 18, 2011 - "... This update contains the following security fixes:
• 5 for Oracle Database Server
• 10 for Oracle Fusion Middleware
• 5 for Oracle E-Business Suite
• 1 for Oracle Supply Chain Products Suite
• 7 for Oracle PeopleSoft Products
• 3 for Oracle Siebel CRM
• 2 for Oracle Industry Applications
• 22 for Oracle Sun Products Suite
• 1 for Oracle Linux
• 1 for Oracle Virtualization
• 20 for Oracle Java SE* ..."

* http://forums.whatth...=...st&p=754409

Edited by AplusWebMaster, 18 October 2011 - 04:31 PM.

[AplusWebMaster]

FYI...

Oracle Solaris - multiple vulns - updates available

- https://secunia.com/advisories/46701/
Release Date: 2011-11-02
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
CVE Reference(s): CVE-2010-4540, CVE-2010-4541, CVE-2010-4542, CVE-2010-4543
Original Advisory:
- http://blogs.oracle....nerabilities_in

- https://secunia.com/advisories/46682/
Release Date: 2011-11-02
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch ...
... multiple vulnerabilities in Adobe Flash Player included in Solaris...
Original Advisory:
- http://blogs.oracle....be_flashplayer1
- http://blogs.oracle....be_flashplayer2

Edited by AplusWebMaster, 02 November 2011 - 09:42 AM.

[AplusWebMaster]

FYI...

Oracle pre-release announcement - Jan 2012
- http://www.oracle.co...012-366304.html

... 78 patches, including 27 for MySQL
- https://www.computer...ng_27_for_MySQL
January 13, 2012 - "Oracle is set on Tuesday to release 78 security fixes... including six that can be remotely exploited with no credentials..."

[AplusWebMaster]

FYI...

Oracle CPU advisory - January 2012 - Patch Availability Table
- http://www.oracle.co...366304.html#PIN
2012-January-17

- https://threatpost.c...rver-bug-011712
January 17, 2012 - "... two fixes for vulnerabilities in its Oracle Database Server, one of the lower totals seen from the company in recent years. There are a total of 78 patches for a wide variety of Oracle products available today, including Fusion, PeopleSoft and the Sun Product Suite... The most serious vulnerability in this quarter's release rates a 7.8 on the CVSS scale and is a flaw in Solaris. Six of the 17 vulnerabilities in the Sun Products Suite are remotely exploitable. Only one of the vulnerabilities in the Oracle Database Server that's fixed in today's release is remotely exploitable..."

- https://www.us-cert...._patch_update16
January 18, 2012 - "... This update contains the following security fixes:
2 for Oracle Database Server
1 for Oracle Fusion Middleware
3 for Oracle E-Business Suite
1 for Oracle Supply Chain Products Suite
6 for Oracle PeopleSoft Products
8 for Oracle JD Edwards Products
17 for Oracle Sun Products Suite
3 for Oracle Virtualization
27 for Oracle MySQL ..."

Edited by AplusWebMaster, 25 January 2012 - 08:49 AM.

[AplusWebMaster]

FYI...

Oracle multiple products - Hash Collision DoS vuln
- https://secunia.com/advisories/47819/
Release Date: 2012-02-01
Impact: DoS
Where: From remote...
CVE Reference: http://web.nvd.nist....d=CVE-2011-5035 - 5.0
Solution: Apply patch.
Original Advisory:
http://www.oracle.co...35-1506603.html
Oracle Security Alert for CVE-2011-5035

[AplusWebMaster]

FYI...

Oracle Solaris Adobe Flash Player multiple vulns
- https://secunia.com/advisories/47886/
Release Date: 2012-02-08
Criticality level: Highly critical
Operating System: Sun Solaris 10.x
CVE Reference(s): CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460 - 10.0 (HIGH)
Solution: Apply patches.
Original Advisory:
http://blogs.oracle....be_flashplayer4

Edited by AplusWebMaster, 08 February 2012 - 06:25 AM.

[AplusWebMaster]

FYI...

Oracle Critical Patch Update Advisory - April 2012
- http://www.oracle.co...012-366314.html
Apr 17, 2012

Text Form of Oracle Critical Patch Update - April 2012 Risk Matrices
- http://www.oracle.co...ose-366316.html
___

- https://www.us-cert...._patch_update18
April 18, 2012 - "Oracle has released its Critical Patch Update for April 2012 to address 88 vulnerabilities across multiple products. This updates contains the following security fixes:
• 6 for Oracle Database Server
• 11 for Oracle Fusion Middleware
• 6 for Oracle Enterprise Manager Grid Control
• 4 for Oracle E-Business Suite
• 5 for Oracle Supply Chain Product Suite
• 15 for Oracle PeopleSoft Products
• 2 for Oracle Industry Applications
• 17 for Oracle Financial Services Software
• 1 for Oracle Primavera Product Suite
• 15 for Oracle Sun Product Suite
• 6 for Oracle MySQL
US-CERT Encourages users and administrators to review the April 2012 Critical Patch Update and apply any necessary updates to help mitigate the risks."
___

Oracle Critical Patch Update (CPU) Advisory - April 2012
Severity: High Severity
- http://atlas.arbor.net/briefs/
April 19, 2012 15:40
Oracle provides comprehensive information about the April 2012 Critical Patch Update.
Analysis: Oracle customers should check the CPU and apply the patches as soon as possible in order to protect against a variety of serious security holes. In some cases, work-arounds may be used but each situation will need to be analyzed to determine impact and effectiveness.
___

- http://h-online.com/-1541933
18 April 2012
___

Many listings - here: https://secunia.com/...ories/historic/
18th Apr, 2012
___

- http://www.securityt....com/id/1026954
- http://www.securityt....com/id/1026953
- http://www.securityt....com/id/1026952
- http://www.securityt....com/id/1026952
- http://www.securityt....com/id/1026951
- http://www.securityt....com/id/1026950
- http://www.securityt....com/id/1026949
- http://www.securityt....com/id/1026948
- http://www.securityt....com/id/1026943
- http://www.securityt....com/id/1026942
- http://www.securityt....com/id/1026941
- http://www.securityt....com/id/1026940
- http://www.securityt....com/id/1026937
- http://www.securityt....com/id/1026936
- http://www.securityt....com/id/1026934
Apr 18 2012
- http://www.securityt....com/id/1026929
Apr 17 2012
.

Edited by AplusWebMaster, 23 April 2012 - 08:04 AM.