Oracle has issued a major patch release covering 85 vulnerabilities in its software. 

The patch fixes a number of serious flaws, including one buffer overflow vulnerability, 17 PL/SQL injection vulnerabilities in Oracle Database 10g and Oracle9i Database Server, and flaws in the Oracle Reports Server used in 23 applications.

The patch also includes non-security fixes that are needed because of the security patches.

Security firm Secunia has issued an advisory on the problems and rates the flaws as 'moderately critical'. It urges users to patch as soon as possible. 

"The new database vulnerabilities addressed by this critical patch update do not affect Oracle Database Client-only installations that do not have the Oracle Database Server installed," said Oracle in a statement.

"Therefore, it is not necessary to apply this critical patch update to client-only installations if a prior critical patch update, or Alert 68, has already been applied to the client-only installations."

Oracle has come in for severe criticism from security specialists over the time it takes to patch vulnerabilities. In some cases the company has taken two years to issue a vulnerability patch after it was reported.