In a follow-up to my previous post regarding mystery patches for 126.96.36.199 in the October 2006 Critical Patch Update, the CPU advisory was updated to include information about 188.8.131.52. However, the patches for 184.108.40.206 are still not available and have an anticipated release date of December 15, 2006 (note: the initial release date was November 15, 2006).
The initial release of the October 2006 CPU did not include any references to 220.127.116.11 as being vulnerable or requiring patches. Oracle did not update the advisory until October 31st. So if you evaluated your internal risk and identified databases requiring patches prior to October 31st, you will need to reevaluate all your 18.104.22.168 databases.
The following vulnerabilities were updated to include 22.214.171.124 - DB09, DB13, DB14, DB15, and DB17. DB09 is the View bug, which is serious. DB13 and DB17 are SQL injection bugs in standard Oracle Spatial packages or triggers. DB14 and DB15 are SQL injection bugs in XDB packages. All of these SQL injection bugs allow a database account with limited privileges the ability to execute SQL fragments as a privileged database account like MDSYS.