January 2006 Critical Patch Update Oracle security patch is released
A new addition with this advisory is that Oracle has provided a new tool to check default account passwords. This is available from Metalink only as patch 4926128. This is the tool announced recently to combat the potential threat of the voyager worm. Of course a much better, in terms of the number of default accounts checked, default password checker is available from this site.
The advisory also this time includes three fixes for client only installs. These are issues DBC02, DBC01 and JN01.
There are a number of new names for researchers credited in the credit section, this can only be taken as an indication that more and more people are becoming interested in Oracle security. This can only be a good thing in the long term.
There are 29 database related bugs fixed in this release. Quite a few relate to package procedures and commands in the database, so whilst the exploit is not obvious the package or command that is vulnerable is obvious.
There are then 3 client bugs, 3 HTTP server and 3 Oracle Workflow cartridge bugs.
There are then 17 Oracle application server related bugs listed, some of which are duplicate from the first section. There are then 20 Oracle Collabortaion server bugs again including 5 from previous sections. There are 27 Oracle Applications (E-Business Suite) bugs again including 8 listed in previous sections and finally there is one PeopleSoft bug and one JD Edwards bug fixed.
This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands.
As always apply the patches as soon as possible!