The latest quarterly update came out this morning. There are oh-my-god smoking guns this time, but several medium-important patches:

CVE-2008-2607: Vulnerability in DBMS_AQELM (Advanced queueing package for e-mail and HTTP notifications)
CVE-2008-2613: Vulnerability in DBMS_SCHEDULER, requiring access to a local user in the oinstall group for exploitation
CVE-2007-1359: Remotely-exploitable vulnerability in Oracle App Server. This is an issue in the ModSecurity application firewall that was originally reported in March 2007 that allows some security checks to be bypassed given a specially-formatted string. The original advisory is here.
CVE-2008-2589: PL/SQL injection flaw in Oracle Portal. Details were posted to the full disclosure list in conjunction with the patch
CVE-2008-2594 and CVE-2008-2609: These look like two more injection flaws in Portal.

If you’re running Oracle Collaboration Suite, note that the patch blows away the login and logout pages (oops!). MetaLink note 445172.1 has info on how to restore the pages post-patch.

It’s yet again time for Oracle’s critical patch update (CPUJAN2008). The update will be released on Tuesday January 15, and as of yet there are no details on exactly what vulnerabilities have been found, but the description page mentions that the following products have unauthenticated remotely-exploitable issues discovered:

• Oracle Application Server (5)
• Oracle E-Business Suite (3)
• Oracle Enterprise Manager (1)
• PeopleSoft Enterprise (1)

So especially for you folks running the above products, start planning your maintenance windows!

Reading this article in hemant’s blog from last June, he made an interesting observation:

1. Oracle has priced for the Xeon QuadCore Processor at the rate of 1 Processor based on
the single socket justified as “When licensing Oracle programs with Standard Edition One or Standard Edition in the product name, a processor is counted equivalent to an occupied socket” for a 3-year licence. Thus, Oracle used the combination of “Processor, not Core” for SE/SE-One and 50% of List price for a 3-Year Licence.

The Oracle store website’s licensing page has the exact same wording.

This means that, with SE/SEOne, you can really stretch your Oracle licensing dollar: an 8-way box with a pair of quad-core processors can be licensed with SEOne (in the US) for $10k, and $2k/year for support (sold on a per-chip basis too).

Now imagine running it on an 80-core chip!

The 11g platforms are now coming out fast and furious:

Windows 64-bit
Solaris SPARC 64-bit
AIX PPC64
HP-UX Itanium

In addition to the previously-released:

Linux x86 32-bit
Linux x86 64-bit
Windows 32-bit

So download away, after checking your platform certification first, of course.

Planned future platforms:

Apple Mac Intel OSX
HP-UX PA-RISC
OpenVMS Itanium 64-bit
Linux LPAR on IBM z-series mainframes
Linux on IBM Power
Linux on Itanium
Solaris x86 64-bit

Hot on the heels of the Linux 64-bit release, Oracle 11g for Windows (32-bit only for now) is now available for download on OTN.

As usual, an x86 32-bit operating system is required. Certification for Windows XP, Windows Server 2003, and Vista is “projected for Q4″, but Windows 2000 will not be supported.

It looks like the second public platform release for Oracle 11g is (surprise, surprise) Linux x86-64. Downloads are available on OTN.

As with previous Linux releases, 32-bit Oracle with a 32-bit OS and 64-bit Oracle with a 64-bit OS are supported, but 32-bit Oracle with a 64-bit OS is not.

Note also that sqlplus does not play well with SELinux under RHEL5; workarounds are to disable SELinux entirely, or to manually change the context of Oracle libraries to textrel_shlib_t. More details are in MetaLink note 454196.1 (login credentials required).

My colleague Vamsi Chikkam noticed that the Oracle 10.2.0.3 patchset has been released for Linux and Windows 32-bit. The major bugfixes are the same as my original post with a few additions:

• Identical SQL run in different schemas may modify the wrong schema’s tables (bug 5458753)… we have run into this problem at a client site and it’s not pretty. Workarounds include qualifying schema names in SQL and one-off patches for 10.2.0.2. MetaLink note 329673.1 has more details.
• When cursors are being reloaded frequently in the shared pool, PLS-306/ORA-1722/ORA-1858 errors can occur (bug 4752541)
• Under Windows platforms, triggers referencing :NEW/:OLD using NCHAR/NVARCHAR character sets can error out (bug 5388136)
• The same issue as bug 5388136 above also causes compilation errors on 10.2.0.2 databases upgraded from previous releases under Windows(bug 5383828)

• Direct link to Linux release
• Direct link to Windows release

It looks like Oracle has started testing the 10.2.0.3 patchset. A preliminary list of bugs fixed is at in MetaLink note 391116.1. The “important” bug fixes are

• corruption in NOCACHE LOB’s (bug 5212539, also fixed in 9.2.0.8 and upcoming 10.1.0.x release)
• wrong results in aggregate functions using the “hash group by” access path (bug 4604970)
• PGA corruption when using shared server (bug 5114396)
• Server handle leak in Windows (bug 5077897)
• workaround for changed locking behavior of SELECT FOR UPDATE queries in 9.2.0.6/10.1.0.4/10.2.0.1 (bug 4969880)

But the most serious issue is index corruption on databases upgraded to 10.1.0.5 through 10.2.0.2, when using data guard in redo apply mode. Paraphrasing note 386830.1, bad redo metadata for index blocks gets written, and is not detectable by standard corruption checks. If this same block is used to generate redo of its own (after a state change or instance recover, for example) the block may get corrupted. Errors will happen querying or updating such blocks on the standby in read-only mode or if the standby becomes a primary site. If the corrupt block is a bootstrap index, the database won’t start up at all.

For index corruption to occur, the following things must happen, in order:

1. The database is upgraded from a pre-10.1.0.5 version to a version betweeen 10.1.0.5 and 10.2.0.2
2. redo from an index block is applied elsewhere (typically a physical standby/data guard redo apply)
3. the location where the redo was applied is modified and generates redo of its own (typically after a role change)
4. Applying this newly-generated redo will result in corruption (typically done to the former primary database after a role change)

To fix:

• Apply the one-off patch for bug 5380055 on your platform
• If you have a database that has already applied version 10.1.0.5+ redo (typically a physical standby), there are additional steps in note 386830.1 to “bump” the database SCN. This operation must be done in restricted mode, will require downtime, and can be dangerous, so be careful!

I was looking for known issues under 10.2.0.2 (which are notoriously hard to find by searching MetaLink) and came across this note that mentioned 9.2.0.8.

Looking up patch number 4547809 on Oracle’s FTP site (use your MetaLink credentials to log in), I see that it was released for Windows 32/64-bit, HP/UX 64-bit, and MVS (!) overnight:

C:\Documents and Settings\User>ftp updates.oracle.com
Connected to bigip-aru.oracle.com.
220 FTP server ready.
User (bigip-aru.oracle.com:(none)):
331 Username OK, please send password.
Password:
230-
230-           Welcome to the Oracle Patch Download FTP Server
230-
230- For detailed help, use command "quote site help".
230
ftp> cd 4547809
250 Changed directory OK.
ftp> ls -al
200 PORT command OK.
150 Opening data connection for file listing.
total 1
-r--r--r--   1 root     other    614741565 Aug 22 04:32 p4547809_92080_HP64.zip
-r--r--r--   1 root     other    173812249 Aug 22 09:37 p4547809_92080_MVS.zip
-r--r--r--   1 root     other    257710303 Aug 21 23:17 p4547809_92080_WINNT.zip
-r--r--r--   1 root     other    378323336 Aug 22 09:10 p4547809_92080_WINNT64.zip
226 Listing complete. Data connection has been closed.
ftp: 336 bytes received in 0.00Seconds 336000.00Kbytes/sec.
ftp>

There’s already one (minor) known issue: a problem with prefetch from pipelined table functions (bug 5068565).

Major bug fixes:

• corruption in NOCACHE LOB’s under ASSM (5212539)
• incorrect definitions/ORA-936 from dba_views (4192148)
• memory corruption using INDIRECT_DATA_BUFFERS with RAC under Linux 32-bit (4926861)
• ORA-6502 selecting max/min into a char variable (4458790)
• system stats skewed by “ksu process alloc latch yield” event (4658188)
• workaround for change of locking for “SELECT FOR UPDATE” operations introduced in 9.2.0.6 (4969880)
• archivelogs with duplicate names between primary/standby will be deleted by RMAN (2802688)
• wrong results with max() function on a column with NULL values (4925103)

Full fix list: MetaLink note 358776.1 . Yes it says that AIX is available but there’s no sign of the AIX patchset in the patch download area.

Interesting to see Windows is yet again the first platform to receive the bugfix… a change in platform focus for Oracle perhaps? Then again, the third platform was MVS so maybe it means nothing.

Update: As of August 23, AIX 5L 64-bit, Linux Itanium, and Linux x86-64 have also come out.
Update: As of August 24, Solaris 32 and 64-bit are out
Update: As of August 29, Linux x86 (32-bit) is out