Oracle plans to stop automatically producing security patches for all systems its software runs on, instead creating fixes for uncommon combinations on request, the company said Tuesday.
The various versions of Oracle's database software and business applications run on a wide variety of operating systems. The Redwood City, Calif.-based company has been releasing security fixes for the bulk of those. That's changing with its next scheduled patch release in July because some fixes were seldom downloaded, it said.
"There are certain platform and version combinations that historically have been inactive," Eric Maurice, a manager for security at Oracle, wrote on a corporate blog. "Instead of systematically creating (updates) for those inactive combinations, we will only produce those patches if clients specifically request them."
Oracle will continue to include the fixes in the main code and future releases of the applicable software programs, as well as in "patch sets," which are product updates that include more than just security fixes.
Oracle announced the change in its patch plans at the same time it put out its April fixes. The "Critical Patch Update" offers fixes for 36 vulnerabilities across Oracle's products, including 14 in the company's widely used database software. Several of the vulnerabilities could be exploited remotely by an anonymous attacker, Oracle said.
"Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," Oracle said in a security advisory.
However, some Oracle customers using the Windows operating system will have to wait until April 30 for the database fixes. Oracle doesn't yet have an update for release 126.96.36.199 of its database software running on Windows because of quality issues, a company representative said.
Oracle's next Critical Patch Update is on July 17.