| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Litchfield on October patch
So, the October surprise is that the holes are really closed, cool! Litchfield described earlier:
"Some of Oracle's "fixes" simply attempt to stop the example exploits I sent them for reprodcution purposes. In other words the actual flaw was not addressed and with a slight modification to the exploit it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself."
http://en.wikipedia.org/wiki/October_Surprise
On Thu, Oct 20, 2005 at 10:54:12AM -0400, oracle-l-bounce_at_freelists.org wrote:
> Exactly. DBCA is a beast that should be put to sleep. It cruds the
> database up with stuff that you don't need, and that Oracle wants to
> charge you for. We never use it.
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Jesse, Rich
> Sent: Thursday, October 20, 2005 10:49 AM
> To: bdbafh_at_gmail.com; stellr_at_cns.vt.edu
> Cc: oracle-l
> Subject: RE: Litchfield on October patch
>
> Better yet, just don't use the dbca.
>
> Rich
>
> "E-vil. Like the fru-its of the dev-il, E-vil."
> -- Charley Mackenzie, So I Married An Axe Murderer
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Paul Drake
> Sent: Wednesday, October 19, 2005 6:09 PM
> To: stellr_at_cns.vt.edu
> Cc: oracle-l
> Subject: Re: Litchfield on October patch
>
>
> On 10/19/05, Ray Stell <stellr_at_cns.vt.edu> wrote:
> > from bugtraq:
> >
> > Having downloaded and given the Oracle October patch a cursory
> examination,
> > some of the flaws Oracle told me were being fixed, remain exploitable.
> Once
> > again the patch is not sufficient. I will conduct a full investigation
> of
> > the patch over the coming few days and post some recommendations once
> > complete. Incidently, it's good to see that the NGS Disclosure policy
> of not
> > publicly releasing details of the flaws "fixed" seems to work as a
> useful
> > fail safe mechanism.
> >
> > More to follow...
> > Cheers,
> > David Litchfield
> > NGSSoftware Ltd
> > http://www.ngssoftware.com/
> > ======================================================================
> > Ray Stell stellr_at_vt.edu (540) 231-4109 Tempus fugit 28^D
> > --
> > http://www.freelists.org/webpage/oracle-l
>
> This one will knock out vulnerabilities DB [17-25]:
> Steps for Manual De-installation of Oracle Spatial
> http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_d
> atabase_id=NOT&p_id=179472.1
>
> Basically, the schema mdsys is created by default in a dbca db, even
> if the spatial option is not being installed. In theory, the
> following:
>
> SQL> drop user spatial cascade;
>
> should do the trick.
> The referenced doc was for 9i and not apparently updated for 10g.
>
> As always, test on a destructo box first.
>
> Paul
> --
> http://www.freelists.org/webpage/oracle-l
> --
> http://www.freelists.org/webpage/oracle-l
> --
> http://www.freelists.org/webpage/oracle-l
-- ====================================================================== Ray Stell stellr_at_vt.edu (540) 231-4109 Tempus fugit 28^D -- http://www.freelists.org/webpage/oracle-lReceived on Thu Oct 20 2005 - 10:28:53 CDT
 |
 |