Oracle starts advanced notification for its own patch day
Based on Microsoft's Advance Notification for security updates, Oracle will now start providing information in advance for upcoming Critical Patch Updates starting with the next one on January 16. This month, 52 security fixes are expected, though Oracle said the number may still change. The highest ranking for these patches based on the Common Vulnerability Scoring System (CVSS) for the assessment of risk is seven on a scale from one to 10. Several of them can be exploited over networks without authentication. Numerous products and components are affected; for more details, see the executive summaries in the announcement.
Oracle is apparently taking this step to improve the flow of information about holes for users. In October of 2006, the vendor created a better overview for administrators looking for information about which holes can be exploited over networks without authentication. Since then, the holes have been categorized according to the Common Vulnerability Scoring System (CVSS), a rating system for security holes. This new service is intended to help administrators decide how quickly a patch should be installed, among other things.
- Oracle Critical Patch Update Pre-Release Announcement - January 2007, Oracle's announcement
(ehe)