Pete Finnigan's Oracle Security Weblog

I just noticed today that the 9.2.0.6 path set is out for Win32 but doesn't seem to be out for other platforms yet. There is a note on metalink that describes the known issues fixed in 9.2.0.6 - Note 189908.1 lists the 9.2.0.x patch sets and also links to two further notes. The first of which is 283899.1 which is for known issues and alerts affecting 9.2.0.6. The second is 283897.1 which is the list of fixes in 9.2.0.6.

The only security specific mention in the first document is about a HTTP server patch for 9.2.0.5/6 which is part of alert #68.

The second document lists hundreds of bug fixes but specifically lists alert 68 in the general section (no details). It is also listed again in the security and denial of service section, in advanced / secure network section there is a bug mentioned (3889519) that say’s there are errors with data transfer with SSL when security patch 68 is installed. There is also a bug about importing a wrapped password verification function. There are nine bugs fixed in Oracle label security. There are 6 specific errors fixed in the row level security functionality.

It is important to apply new patch sets as they quite often fix "silent" security bugs. These are security bugs that are not part of a security alert. This could be because these security issues are not reported as such by the finder of the problem.