When Greg emailed me the pdf about the patch survey he also mentioned a website that his company sponsor called Security Patch.org
. This site does not have a fantastic amount of content but it does include a very good set of pages that link to individual advisories for security bugs in Oracle, Microsoft, Apache, Linux and Sun. The Oracle page is of course of the most interest to us here. The Oracle patch page
details all of the CVE references for bugs fixed in oracle CPU's and previous alerts. There is obviously not a complete cross reference against every bug fixed in each CPU and alert as Oracle never reveals this level of detail but the list is a good starting point. If you follow each CVE link you will find a page for each that often includes links to many other sources of information for each bug. Some link eventually to pages that include example exploits.