【IT168技术资讯】
本次给出的重要关键补丁更新是一个包含多个安全漏洞的补丁集合。同时它也包括了一些非安全补丁的更新(因为相互依赖的原因,这些是更新安全补丁所需要的。本次关键补丁更新是累积性的,除了下面提到的,更新建议说明了自上次重要补丁更新以来的增加的部分。
因此,需要对原来的重要补丁更新信息进行检查。由于已经有对所构成的威胁的成功攻击的报告,甲骨文强烈建议客户申请修复尽快。这一重要补丁更新中包含43个新的安全修补程序。
支持的产品和影响的组件
本次关键补丁更新修复及影响到的产品如下表。请点击链接在[方括号]或修补状况表,以获取这些文件的补丁程序。
Product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy:
| • Oracle Database 11g, version 11.1.0.6, 11.1.0.7 | [ Database ] |
| • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4 | [ Database ] |
| • Oracle Database 10g, version 10.1.0.5 | [ Database ] |
| • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV | [ Database ] |
| • Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0 | [ Application Server ] |
| • Oracle Outside In SDK HTML Export 8.2.2, 8.3.0 | [ Application Server ] |
| • Oracle XML Publisher 5.6.2, 10.1.3.2, 10.1.3.2.1 | [ Application Server ] |
| • Oracle BI Publisher 10.1.3.3.0 10.1.3.3.1, 10.1.3.3.2, 10.1.3.3.3, 10.1.3.4 | [ Application Server ] |
| • Oracle E-Business Suite Release 12, version 12.0.6 | [ E-Business Suite ] |
| • Oracle E-Business Suite Release 11i, version 11.5.10.2 | [ E-Business Suite ] |
| • PeopleSoft Enterprise PeopleTools versions: 8.49 | [ PeopleSoft/JDE ] |
| • PeopleSoft Enterprise HRMS versions: 8.9 and 9.0 | [ PeopleSoft/JDE ] |
| • Oracle WebLogic Server 10.3 | [ BEA ] |
| • Oracle WebLogic Server 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3 | [ BEA ] |
| • Oracle WebLogic Server 8.1 through 8.1 SP6 | [ BEA ] |
| • Oracle WebLogic Server 7.0 through 7.0 SP7 | [ BEA ] |
| • -Oracle WebLogic Portal 8.1 through 8.1 SP6 | [ BEA ] |
| • Oracle Data Service Integrator 10.3.0 and Oracle AquaLogic Data Services Platform (formerly BEA ALDSP) 3.2, 3.0.1, 3.0 | [ BEA ] |
| • Oracle JRockit (formerly BEA JRockit) R27.6.2 and earlier (JDK/JRE 6, 5, 1.4.2) | [ BEA ] |
Patch Availability Table and Risk Matrices
Products with Cumulative Patches
The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications (Release 12 only), JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools and Siebel Enterprise patches in the Updates are cumulative; patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates.
Products with Non-Cumulative Patches
Oracle E-Business Suite Applications Release 11i patches are not cumulative, so Oracle E-Business Suite Applications customers should refer to previous Critical Patch Updates to identify previous security fixes they want to apply. Oracle Collaboration Suite patches were cumulative up to and including the fixes provided in the July 2007 Critical Patch Update. From the July 2007 Critical Patch Update on, Oracle Collaboration Suite security fixes are delivered using the one-off patch infrastructure normally used by Oracle to deliver single bug fixes to customers. Patches for BEA products are not cumulative (unless otherwise stated), so BEA customers should refer to previous Security Advisories to identify previous security fixes they want to apply.
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update April 2009 Documentation Map, My Oracle Support Note 798344.1.
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. The same vulnerability appears with the same Vuln # in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.
Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit. Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Matrix, the readme files, and FAQs. Oracle does not provide advance notification on CPUs or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code or “proof-of-concept” code for product vulnerabilities.
详情:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
