CPU April 12 - 2005 is released
This advisory follows the more detailed information trend started with alert 68 and Critical Patch Update - January 2005 and includes detailed information for each bug (no details on how to exploit or example code) and a risk matrix for each bug. This is good information.
There are a few comments worth making though. The first is that there are quite a lot of fixes aimed at the Oracle HTTP server, the email server and calendar. This means that customers who use these components should be wary of their security posture and should patch quickly.
The second observation is that this advisory and patch set includes fixes for PeopleSoft software; an interesting addition after the recent purchase.
Also the number of people credited with finding bugs this time is low, just three, David Litchfield, Stephen Kost and Esteban Mart�nez Fay�. It is interesting that Alex is not mentioned considering he has just released a paper on a default installation SQL Injection issue in Oracle Forms that was delayed until this CPU presumably because of a fix.
It is also interesting that Alex has a list of 40 Oracle bugs that are not fixed yet, some reported in 2003!, Esteban Mart�nez Fay� also said in a recent paper "Advanced SQL Injection in Oracle databases" that over 65 PL/SQL and SQL buffer overflows had been reported and not fixed yet.
Oracle have made great strides forwards with the amount of information released with their patches and advisories lets hope they can clear this apparent backlog of security fixes now.