October 2006 CPU and 9.2.0.8 - Patches Available December 15

In a follow-up to my previous post regarding mystery patches for 9.2.0.8 in the October 2006 Critical Patch Update, the CPU advisory was updated to include information about 9.2.0.8.  However, the patches for 9.2.0.8 are still not available and have an anticipated release date of December 15, 2006 (note: the initial release date was November 15, 2006).

The initial release of the October 2006 CPU did not include any references to 9.2.0.8 as being vulnerable or requiring patches.  Oracle did not update the advisory until October 31st.  So if you evaluated your internal risk and identified databases requiring patches prior to October 31st, you will need to reevaluate all your 9.2.0.8 databases.

The following vulnerabilities were updated to include 9.2.0.8 - DB09, DB13, DB14, DB15, and DB17.  DB09 is the View bug, which is serious.  DB13 and DB17 are SQL injection bugs in standard Oracle Spatial packages or triggers.  DB14 and DB15 are SQL injection bugs in XDB packages.  All of these SQL injection bugs allow a database account with limited privileges the ability to execute SQL fragments as a privileged database account like MDSYS.