Point 21 in the above FAQ discusses the question "is the Oracle client also vulnerable because of the issues fixed in alert 68". It states that some of the issues addressed are also applicable to middle tier installations and also to client only installations. Basically a successful hack of the client will not get you into the database or its server if its been patched with alert 68 but the client is exploitable. Oracle have reduced the severity of the patch to 2 for clients and 2 for application servers if the application server has been patched.
Refer to the pdf on Oracle's OTN site available above for alert #68 and also the FAQ available only on metalink for more details