In a follow-up to my previous post regarding mystery patches for 188.8.131.52 in the October 2006 Critical Patch Update, the CPU advisory was updated to include information about 184.108.40.206. However, the patches for 220.127.116.11 are still not available and have an anticipated release date of December 15, 2006 (note: the initial release date was November 15, 2006).
The initial release of the October 2006 CPU did not include any references to 18.104.22.168 as being vulnerable or requiring patches. Oracle did not update the advisory until October 31st. So if you evaluated your internal risk and identified databases requiring patches prior to October 31st, you will need to reevaluate all your 22.214.171.124 databases.
The following vulnerabilities were updated to include 126.96.36.199 - DB09, DB13, DB14, DB15, and DB17. DB09 is the View bug, which is serious. DB13 and DB17 are SQL injection bugs in standard Oracle Spatial packages or triggers. DB14 and DB15 are SQL injection bugs in XDB packages. All of these SQL injection bugs allow a database account with limited privileges the ability to execute SQL fragments as a privileged database account like MDSYS.