In a follow-up to my previous post regarding mystery patches for 22.214.171.124 in the October 2006 Critical Patch Update, the CPU advisory was updated to include information about 126.96.36.199. However, the patches for 188.8.131.52 are still not available and have an anticipated release date of December 15, 2006 (note: the initial release date was November 15, 2006).
The initial release of the October 2006 CPU did not include any references to 184.108.40.206 as being vulnerable or requiring patches. Oracle did not update the advisory until October 31st. So if you evaluated your internal risk and identified databases requiring patches prior to October 31st, you will need to reevaluate all your 220.127.116.11 databases.
The following vulnerabilities were updated to include 18.104.22.168 - DB09, DB13, DB14, DB15, and DB17. DB09 is the View bug, which is serious. DB13 and DB17 are SQL injection bugs in standard Oracle Spatial packages or triggers. DB14 and DB15 are SQL injection bugs in XDB packages. All of these SQL injection bugs allow a database account with limited privileges the ability to execute SQL fragments as a privileged database account like MDSYS.