As I mentioned in a previous post Oracle CPU / PSU Pre-Release Announcement Januar 2012 the CPU / PSU patches are available for 10g and 11g. Whereby the download of 10g patches is again possible without a corresponding Extended Support contract. I assume this is related to the SCN flaw. This Critical Patch Update contains 78 new security vulnerability fixes for several Oracle products. 2 of these fixes are just for the Oracle Database Server, but none of them is for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 5.5, which seams to be not critical. On the other hand it look like one of this bug fix is related to the Oracle SCN flaw. I’ll post a few comments on this later this week.

• Core RDBMS (related to the SCN flaw)
• Listener

The Database Server Patch’s are available for Oracle Database 11g Release 2 (11.2.0.2,11.2.0.3), Oracle Database 11g Release (11.2.0.7), Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5) and Oracle Database 10g Release 1 (10.1.0.5). It looks like that the first CPU in 2012 is as well the first one for 11.2.0.3.

• Oracle Database 11.2.0.3 => normal CPU/PSU
• Oracle Database 11.2.0.2 => normal CPU/PSU
• Oracle Database 11.1.0.7 => normal CPU/PSU
• Oracle Database 10.2.0.x => normal CPU/PSU

A bunch of useful links around the current CPU / PSU:

• Oracle Critical Patch Update Advisory – January 2012
• Oracle Critical Patch Update January 2012 Documentation Map [1368685.1]
• Patch Set Update and Critical Patch Update January 2012 Availability Document [1374524.1]

As well as a few generic links about CPU / PSU:

• Critical Patch Updates and Security Alerts
• Release Schedule of Current Database Releases [ID 742060.1]
• Risk Matrix Glossary – terms and definitions for Critical Patch Update risk matrices [ID 394486.1]
• Use of Common Vulnerability Scoring System (CVSS) by Oracle [ID 394487.1]
• DB, FMW, EM Grid Control, and OCS Software Error Correction Support Policy [ID 209768.1]