Oracle releases long-awaited patches

You've got three months to install them, though

Database software maker Oracle pushed out a host of long-awaited patches after struggling to organise its software fixes into a monthly release schedule.

The patches fix flaws in several of the company's products, including versions 10g, 9i and 8i of its Oracle Database Server and versions of its 10g and 9i Application Server. The flaws range from common memory errors known as buffer overflows to allowing an attacker to take control of the servers by inserting commands into instructions sent to the database.

Next-Generation Security Software, the company that found the problems, said it would withhold the details of the problems for three months, but labeled them "critical."

"This three-month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public," the company stated in an advisory.

In mid-August, Oracle stated that it would move to a monthly patching schedule to ease the burden on its customers. The company blamed the patch delay, seven months at that time, on the chaos caused by the change to development.

"While it is challenging to produce all patch sets on a fixed schedule, we are confident that a regular patch schedule is the right thing for our customers," the company said at the time.

Microsoft moved last October to providing monthly patches.

An Oracle advisory stated that no adequate workaround has been found for the flaws, so companies are urged to patch their systems.

Robert Lemos writes for CNET News.com