Oracle announces 86 fixes including 18 for MySQL
On its web site, Oracle has announced which security patches will be released on Tuesday. The company said that the 86 fixes will affect "hundreds of Oracle products". The most serious hole with the highest CVSS (Common Vulnerability Scoring System) rating of 10 will be closed in Oracle's Database Mobile/Lite Server mobile database variant.
In the free MySQL relational database, Oracle will tackle 18 potential points of attack. Two of these have a CVSS rating of 9 and are said to be exploitable remotely and without authentication. With its patch update, Oracle will likely also close the recently disclosed 0day hole in MySQL – at least that's what the latest comments in Red Hat's Bugzilla report on this subject seem to indicate. The relevant corrections in the MySQL source code were made in versions 5.5.29 and 5.1.67. Only one patch for the "Spatial" module will be released for the Oracle 10/11 database server which means that the hole that has long been known to exist in the TNS Listener will continue to remain unpatched. Oracle had announced that it plans to close this hole in the upcoming version 12 of the database server.
The company's Critical Patch Update (CPU) also includes fixes for Oracle's Fusion, Enterprise Manager Grid Control, E-Business Suite, Supply Chain Products Suite, PeopleSoft, JD Edwards and Solaris products. Full details will be announced when the CPU is released on Tuesday.