The latest quarterly update came out this morning. There are oh-my-god smoking guns this time, but several medium-important patches:

CVE-2008-2607: Vulnerability in DBMS_AQELM (Advanced queueing package for e-mail and HTTP notifications)
CVE-2008-2613: Vulnerability in DBMS_SCHEDULER, requiring access to a local user in the oinstall group for exploitation
CVE-2007-1359: Remotely-exploitable vulnerability in Oracle App Server. This is an issue in the ModSecurity application firewall that was originally reported in March 2007 that allows some security checks to be bypassed given a specially-formatted string. The original advisory is here.
CVE-2008-2589: PL/SQL injection flaw in Oracle Portal. Details were posted to the full disclosure list in conjunction with the patch
CVE-2008-2594 and CVE-2008-2609: These look like two more injection flaws in Portal.

If you’re running Oracle Collaboration Suite, note that the patch blows away the login and logout pages (oops!). MetaLink note 445172.1 has info on how to restore the pages post-patch.

It’s yet again time for Oracle’s critical patch update (CPUJAN2008). The update will be released on Tuesday January 15, and as of yet there are no details on exactly what vulnerabilities have been found, but the description page mentions that the following products have unauthenticated remotely-exploitable issues discovered:

• Oracle Application Server (5)
• Oracle E-Business Suite (3)
• Oracle Enterprise Manager (1)
• PeopleSoft Enterprise (1)

So especially for you folks running the above products, start planning your maintenance windows!