Proactive Patching Overview

1.Proactive Patching Overview

Between Patch Set releases, Oracle's proactive patching program provides critical fixes to customers on a regular, predictable schedule in support of best maintenance practices.

Proactive patches are released on the same quarterly schedule as the Critical Patch Updates program releases, specifically the Tuesday closest to the 17th of January, April, July, and October. Exceptions to this schedule are documented in the product bundle patch documentation listed in the tables below.

There are a few different types of proactive patches - Patch Set Updates (PSUs), Product Bundle Patches, and Suite Bundle Patches. They all share the following characteristics:

Cumulative Content: The most recent patch can be applied, and it includes all fixes previously released in earlier patches for the patch set or base release.
CPU (Critical Patch Update) program security fixes: All security fixes announced in the CPU Advisory for this product are included in the proactive patch. Please see the Critical Patch Updates, Security Alerts and Third Party Bulletin for a listing of all CPU Advisories released to date.
Well tested: The patches are tested for regressions and functional correctness.
Supported: If an Oracle product has been certified with specific patchset versions of another Oracle product, it is supported with any Oracle provided interim patches including the proactive patches. For example, Oracle Service Bus 11.1.1.7.x is supported with all of the WebLogic Server 10.3.5 and 10.3.6 PSUs (WebLogic Server versions 10.3.5.0.x and 10.3.6.0.x).

The patch types differ in the nature of their content as follows:

Patch Set Update (PSU): The content is highly controlled. Enhancements are not included.
Product Bundle Patch: The content is controlled. Small enhancements may be included.
Suite Bundle Patch: A collection of product bundle patches for a suite (e.g., an Oracle Identity Management Suite bundle patch consisting of OAM, OAAM, and OIM).

Oracle associates a version number to each proactive patch. The fifth number of the product version is incremented for each patch. For example, if the initial SOA Suite Bundle Patch is version 11.1.1.6.1, the second Bundle Patch for Release 11.1.1.6 is 11.1.1.6.2, and so on.

This enables customers and Oracle Support to refer to just one number, the version, rather than a list of interim patches or sets of bundles that have been applied.

NOTE: Effective November 2015 the version numbering format has changed. The new format replaces the numeric 5th digit of the bundle version with a release date in the form "YYMMDD" where:

YY is the last 2 digits of the year
MM is the numeric month (2 digits)
DD is the numeric day of the month (2 digits)

See Note 2061926.1 for details.

A primary goal of the proactive patching program is to provide a series of proactive, stabilizing cumulative patches for a product version (release or patch set). The following are guidelines that Oracle follows for the bundle patch lifecycle for a product version. The specifics will vary depending on the content of individual bundles.

Once a patch set or release is available, the first bundle patch may occur as early as the next quarterly proactive patch cycle, or more typically at the second quarterly proactive patch cycle after the release. The timing is a function of both the targeted content and when in the quarterly period the release was made available.
Proactive patches with security content will continue as long as the version is supported for error correction. The policies are outlined in Note 209768.1, Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy.
Bundle Patches and PSUs will reach a plateau of non-security content as the version stabilizes. Once this is reached, there will be a tapering off of non-security content. Oracle expects this plateau to be reached with the third or fourth Bundle Patch or PSU.
PSU and Bundle Patch content will be primarily security-related once the next patch set in the series is released.

For 12.1.0.2 the customers have a choice. They can install the DB PSU or the Proactive Bundle Patch. Proactive Bundle Patch is a superset of the DBPSU and includes additional fixes. Oracle does not make any recommendations on which one the customer should install as it it their choice.

OJVM PSU is still a separate patch as it is still Non-Rolling.

1.5 Oracle Database Patching - SPU vs PSU/BP

The Database Security Patch Updates (SPU) and Patch Set Updates (PSU) / Bundle Patches (BP) that are released each quarter contain the same security fixes. However, they use different patching mechanisms, and PSU/BP include both security and critical fixes.

NOTE: Applying a SPU on an installation with an installed PSU/BP is
not supported

3. 安全补丁分析

#####################
1.ref doc:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixDB

References
English text version of the risk matrices [ Oracle Technology Network ]

http://cve.scap.org.cn/CVE-2013-5771.html
http://securitytracker.com/archives/target/81.html

Oracle Database Bugs Let Remote Users Access Data and Deny Service
SecurityTracker Alert ID: 1029181
SecurityTracker URL: http://securitytracker.com/id/1029181
CVE Reference: CVE-2013-3826, CVE-2013-5771 (Links to External Site)
Date: Oct 15 2013
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 11.1.0.7, 11.2.0.2, 11.2.0.3, 12.1.0.1
Description: Two vulnerabilities were reported in Oracle Database. A remote user can cause denial of service conditions. A remote user can obtain potentially sensitive information.

A remote user can exploit a flaw in the XML parser and partially access data or cause partial denial of service conditions [CVE-2013-5771].

A remote user can exploit a flaw in the Core RDBMS to partially access data on the target system [CVE-2013-3826].

The following researchers reported these and other Oracle vulnerabilities:

Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Adi Ludmer of McAfee Labs; Ajinkya Patil of AVsecurity.in; Alex Kouzemtchenko of Security Research Lab via CERT/CC; Alex Rajan of Network Intelligence; Alexander Polyakov of ERPScan; Alexander Tlyapov of Positive Technologies; Alexey Osipov of Positive Technologies; Alexey Tyurin of ERPScan (Digital Security Research Group); Anagha Devale-Vartak of AVsecurity.in; Andrea Micalizzi aka rgod, working with HP's Zero Day Initiative; Andrew Davies formerly of NCC Group; Ben Murphy via HP's Zero Day Initiative; CERT/CC; Chris Ries via the Exodus Intelligence Program; Dave Bryant of Orion Health; Dmitry Sklyarov of Positive Technologies; Esteban Martinez Fayo formerly of Application Security Inc.; HUAWEI PSIRT; James Forshaw of Context Information Security; Jeroen Frijters; Jon Passki of Security Research Lab via CERT/CC; Juraj Somorovsky of Ruhr-University Bochum; Manuel Garcia Cardenas of Internet Security Auditors; Positive Research Center (Positive Technologies Company); Qinglin Jiang formerly of Application Security Inc; Rohan Stelling of BAE Systems Detica; Sam Thomas of Pentest Limited; Timur Yunusov of Positive Technologies; Tom Parker of Orion Health; Travis Emmert via iDefense; Vinesh N. Redkar; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.
Impact: A remote user can cause partial denial of service conditions.

A remote user can partially access data on the target system.
Solution: The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - October 2013.

The vendor's advisory is available at:

##############################

ref doc

1.11.2.0.4 Patch Set Updates - List of Fixes in each PSU (Doc ID 1611785.1)
(add new bug list)
2.Patch Set Update and Critical Patch Update July 2017 Availability Document (Doc ID 2261562.1)
(cpu list)
3.Patch 26568865: COMBO OF OJVM COMPONENT 11.2.0.4.170718 DBPSU + DBPSU 11.2.0.4.170814
(readme)

4.Patch 26550684 - Combo of OJVM Component 11.2.0.4.170718 DB PSU + GI PSU 11.2.0.4.170814
(readme)

5.11.2.0.4 Grid Infrastructure Patch Set Updates - List of Fixes in each GI PSU (Doc ID 1614046.1)
( add new bug list)

Patch 26610246 - Oracle Grid Infrastructure Patch Set Update 11.2.0.4.170814 (Jul2017) (Includes Database PSU 11.2.0.4.170814)

（readme and 组成部分）

Database 11.2.0.4 Proactive Patch Information (文档 ID 2285559.1)
Release Schedule of Current Database Releases (文档 ID 742060.1)

What Are the Sub-Patches in 11.2.0.4 and 12c Grid Infrastructure (GI) Patchset Update (PSU) (Doc ID 1595371.1)
( FYI)

#####################
2. public doc
Patch Set Update and Critical Patch Update October 2013 Availability Document

from https://mosemp.us.oracle.com/epmos/faces/DocContentDisplay?_afrLoop=341050939984213&id=1571391.1&_afrWindowMode=0&_adf.ctrl-state=hq453vse5_73#BABGDFIF

we get:

2.2 Final Patch Information (Error Correction Policies)

The Final patch is the last CPU or PSU release for which the product release is under error correction. Final patches for upcoming releases, as well as newly scheduled final patches, are listed in the following sections.

lity for Oracle Database"

Section 3.1.4.2, "Oracle Database 12.1.0.1"

Section 3.1.4.3, "Oracle Database 11.2.0.3"

Section 3.1.4.4, "Oracle Database 11.2.0.2"

Section 3.1.4.5, "Oracle Database 11.1.0.7"

Denial of service via network,
Disclosure of system information,
Disclosure of user information