Looking at the Oracle security advisory page here: https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Oracle in 2016 disclosed vulnerabilites in their OJDBC7 versions 12.1.0.1 and 12.1.0.2.
However looking for the most recent versions of OJDBC they are still offering both 12.1.0.1 and 12.1.0.2 as their most up to date versions.
https://www.oracle.com/database/technologies/jdbc-drivers-12c-downloads.html
https://www.oracle.com/database/technologies/jdbc-upc-downloads.html
Am I missing something about the way that Oracle does their "patching" and they fix the vulnerable version and then release it as the same version, or have they actually not fixed this vulnerability?