The latest in the line of Oracle's Critical Patch Updates, CPU April 2007 is out. The advisory from Oracle is titled "
Oracle Critical Patch Update - April 2007" and includes 13 database fixes, one enterprise manager and one workflow cartridge bug. a total of 16 database product related bugs. Two of the database bugs can be remotely exploited without authentication. Two of the database patches affect client only installations as well. There are 5 Application server fixes, one workflow cartridge and one ultra-search fix. Two of these can be remotely exploited without authentication. There is one collaboration suite fix and one workflow again, neither of these can be remotely exploited without authentication. There are 11 E-Business Suite fixes, again two of which can be exploited remotely without authentication. There is also the workflow bug fix again. Enterprise Manager has one fix. There are three PeopleSoft fixes and one JD Edwards fix.
This is a mixed bag, again the patch is critical and needs to be applied quickly because of the remotely exploitable bugs and also because of the recent tendancies for exploits to become quickly available on the net. The numbers are smaller than the last patches but are still excessive in terms of raw security fixes. Have Oracle turned the corner in terms of reducing the numbrs of security bugs? - not sure, it would seem that the numbers are reducing but the recent number of papers on Oracle security and forensics, re;eases of exploits would suggest a renewed effort on the part of researchers to push Oracle further by being more creative in terms of finding security bugs in its products. Let's wait and see if the trend keeps falling in terms of fixes in July.