Going onto the tables of actual bugs we can see that the tables have been made much clearer and no longer include the very confusing columns of risk and threats in the previous forms. We now have the CVSS score, whether the bug can be exploited remotely, the privilege required, the access complexity (how easy it is to call the function or feature to exploit it) and the earliest release and the last affected patch sets. The pattern is repeated for each of the database product sets and then the same structure applies for the Application server (14 fixes, 13 of which can be exploited remotely without authentication), Collaboration Suite (12 fixes, 11 remote without authentication), E-Business Suite (13 fixes, one remote without authentication) and finally 8 Peoplesoft and one JD Edwards bugs fixed.
I am impressed that there is a simple check provided to test if you have HTMLDB installed, I am not impressed that there are 35 fixes in it, although its good that they ahve been fixed.
All in all I am impressed by the new style advisory, its not perfect, it is much better than it was, at the end of the day you cannot please everyone and provide all the information possible. The main thing for me is to help the DBA decide whether to patch quickly, to identify which products / features / functions are affected and to help them make a decision based on the risk. The remote bugs that do not require authentication is a great step towards identifying the risk, they stand out, the product is identified and itseasier to decide.
There is a lotof fixes this time, thats good that Oracle have managed to process this amount of fixes, from this they seem to be getting on top of the bug fixing. Well done Mary Ann and the rest of the team. Lets hope it gets to a point where we have advisories with one r tow bugs to patch as soon as possible!