David has released a detailed analysis of the April 2007 CPU. This page is titled "
Database Security Brief: The Oracle critical patch update for April 2007". this is a noce short summary of the issues and complements the coverage made by Alex on his site. David has covered a lot of the database bugs but the first paragraph is of the most interest for two reasons. First David points out that quite a few of the fixes are for very old bugs, one cited was reported in 2002 for instance. He feels that this indicates that Oracle have turned the corner and are finally clearing the backlog. The second point is that David indicates that he, Mark and Paul have reported a further 39 bugs, that is just NGS. Other researchers are obviously also concentrating on Oracle bugs and vulnerabilities. Also there was the announcement from Oracle that the CPU's for some platforms/products are not going be quarterly releases any more. I think the overall impression is that Oracle beleive that they have turned the corner and are clearing the backlog, that said the researchers are doubling their efforts to overturn that, lets see what happens!!