RE: Litchfield on October patch

Better yet, just don't use the dbca.

Rich

"E-vil. Like the fru-its of the dev-il, E-vil."

• Charley Mackenzie, So I Married An Axe Murderer

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Paul Drake Sent: Wednesday, October 19, 2005 6:09 PM To: stellr_at_cns.vt.edu
Cc: oracle-l
Subject: Re: Litchfield on October patch

On 10/19/05, Ray Stell <stellr_at_cns.vt.edu> wrote:
> from bugtraq:
>
> Having downloaded and given the Oracle October patch a cursory
examination,
> some of the flaws Oracle told me were being fixed, remain exploitable.
Once
> again the patch is not sufficient. I will conduct a full investigation
of
> the patch over the coming few days and post some recommendations once
> complete. Incidently, it's good to see that the NGS Disclosure policy
of not
> publicly releasing details of the flaws "fixed" seems to work as a
useful
> fail safe mechanism.
>
> More to follow...
> Cheers,
> David Litchfield
> NGSSoftware Ltd
> http://www.ngssoftware.com/
> ======================================================================
> Ray Stell stellr_at_vt.edu (540) 231-4109 Tempus fugit 28^D
> --
> http://www.freelists.org/webpage/oracle-l

This one will knock out vulnerabilities DB [17-25]: Steps for Manual De-installation of Oracle Spatial http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_d atabase_id=NOT&p_id=179472.1

Basically, the schema mdsys is created by default in a dbca db, even if the spatial option is not being installed. In theory, the following:

SQL> drop user spatial cascade;

should do the trick.
The referenced doc was for 9i and not apparently updated for 10g.

As always, test on a destructo box first.

Paul

--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l