Oracle’s Critical Patch Update is out for July 2015:
Affected are database versions 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124 and 126.96.36.199.
This is the final patch for both the 188.8.131.52 and 184.108.40.206 releases. The final patch for 220.127.116.11 will be released in January 2016.
The most prominent bug on the risk matrix is CVE-2015-2629 whereby a remote authenticated user can exploit a flaw in the Java VM component to gain elevated privileges.
For the 18.104.22.168 patches, you can apply one of the following:
22.214.171.124 SPU for UNIX: patch 20803583
126.96.36.199.7 PSU for UNIX: patch 20760982
188.8.131.52.17 Quarterly Database Patch for Exadata (July 2015): patch 21142006
July 2015 Quarterly Full-Stack Patch for Exadata: patch 21186703
Don’t forget your Grid Infrastructure patching:
184.108.40.206 PSU for UNIX: patch 20996923
And, of course, ever since those Java bugs were discovered, we should also patch the JVM:
220.127.116.11.4 Database PSU for UNIX: patch 21068539