Oracle Security Leaks-Are they fixed yet???

Quite a while ago, several Oracle security leaks were discussed. I have not gotten word that they have been fixed.

Does anyone have an update on them?

The below text was clipped from the web page and somewhat reformatted. Any distortions are my own.

http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_Unpatched_Bugs_July_2006.pdf

The ability to bypass security controls on tables using specially crafted views. Database accounts with CREATE VIEW privilege are be able to insert, update, or delete data in tables where the database account only has SELECT permission.

Oracle mistakenly published on Metalink information on an un-patched security vulnerability in the Oracle Database. On April 6, 2006, Oracle Support published a Metalink Note:

           Note ID 363848.1
           A User with SELECT Object Privilege on Base
           Tables Can Delete Rows from a View

containing detailed information on the bug and a working example. Oracle removed the Metalink Note after about 24 hours. On April 11, 2006, Alexander Kornbrust of Red Database Security released an advisory to a security mailing list on the nature of the vulnerability, however, did not provide exploit code or a working example. This security advisory received media attention and was widely distributed.
This bug was NOT fixed in the July 2006 CPU. Oracle has not released any information as to when this bug will be fixed.

Any database account with CREATE VIEW system privilege and at least SELECT access to the base table can create a specially crafted view that will allow update, insert, and delete access to the base table. Andrew Max has reported that this bug can be exploited without even using a view. This issue appears to affect all supported Oracle Database versions from 8.1.7.4 to 10.2. We have verified this bug has not been fixed on 9.2.0.7 after applying the July 2006 CPU. Received on Tue Jul 03 2007 - 18:29:14 CDT