As part of the Oracle quarterly Critical Patch Update (CPU) process, a new reminder e-mail of the upcoming CPU is being sent to all individuals who signed up for e-mail notifications on the CPU web page. This e-mail is only a reminder that the next CPU will be released on January 15, 2008 (sometime after noon Pacific Time).
What is missing from the e-mail is that on Thursday January 10th, Oracle will release a pre-announcement of the upcoming CPU with some details as to the number of security bugs fixed and the maximum severity of the bugs fixed for each product set. This pre-announcement does provide limited insight, but generally won't change many organizations plans unless there is something dramatic and out of the ordinary fixed. It is most useful for Oracle Application Server and Oracle E-Business Suite customers as there is variability to the components fixed and a specific CPU may not impact security critical components like Single-Signon or EBS Internet modules.
From: Oracle Security Alerts [mailto:firstname.lastname@example.org]
Sent: Thursday, January 10, 2008 12:25 AM
To: Kost, Stephen
Subject: Oracle Critical Patch Update January 2008
January 9th, 2008
Oracle Critical Patch Update January 2008
Dear Oracle customer,
The Critical Patch Update for January 2008 is planned to be released on January 15, 2008. Oracle strongly recommends applying the patches as soon as possible.
The Critical Patch Update Advisory is the starting point for relevant information. It includes the list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities for each product suite, and links to other important documents. Supported products that are not listed in the "Supported Products and Components Affected" section of the advisory do not require new patches to be applied.
Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at any of the following locations:
Oracle Technology Network: http://www.oracle.com/technology/deploy/security/alerts.htm
Oracle, PeopleSoft and JD Edwards products: http://www.peoplesoft.com/corp/en/support/security_index.jsp
The next four Critical Patch Update release dates are:
April 15, 2008
July 15, 2008
October 14, 2008
January 13, 2009
Sincerely, Oracle Security Alerts
(Thanks to Randy for pointing out this e-mail)