The next in the line of the Critical Patch Updates (CPU) July 2008 for the Oracle product stack is due next Tuesday, the 15th of July. The pre-release announcement was released last Tuesday, titled "Oracle Critical Patch Update Pre-Release Announcement - July 2008" and it details a potential tally of 45 fixes across a very wide range of products. The database layer is my particular sphere of interest and there are 11 fixes in the database, this time none that can be remotely expolited without a password, this doesn't imply or deny if any are remotely exploitable with a password!. The highest CVSS score is 6.5 which is quite high considering the methods used to calculate it. The interesting ones are "authentication" as that implies a fault in the authentication mechanism, presumably from the above statement that is not expliotable until after the authentication completes, i.e. you need a password. Core RDBMS sounds interesting as does database vault. The others could in most cases be PL/SQL based issues, we will need to wait and see next week.
There are a whole raft of news reports about the same pre-release document mostly all summarising whats in it. You can query Google for "Oracle Security" in the news and read them.
