From oracle-l-bounce@freelists.org Wed Oct 19 18:11:19 2005 Return-Path: Received: from air891.startdedicated.com (root@localhost) by orafaq.com (8.12.10/8.12.10) with ESMTP id j9JNBDwN010505 for ; Wed, 19 Oct 2005 18:11:14 -0500 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air891.startdedicated.com (8.12.10/8.12.10) with ESMTP id j9JNB9vX010493 for ; Wed, 19 Oct 2005 18:11:10 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 817ED2091A3; Wed, 19 Oct 2005 18:11:03 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12893-07; Wed, 19 Oct 2005 18:11:03 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 030D8208FF1; Wed, 19 Oct 2005 18:11:02 -0500 (EST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J4Khz11rU3ck3FQdoESHitpImmUSK1GG02igW02D5oV7uK2XRvno2+bO8rm8ofx2JtVrZujI/AygADJwNKeWeXz3+Qeg6EfCuD8eaUz/F8zMLOgw798NmiCOhUR2uOh7Juo8zA+DCMQmOM+WcgHC9FTB2V9PSrmk/jY/XtQBqr8= Message-ID: <910046b40510191608x611de5bdo345ed26b496d54a5@mail.gmail.com> Date: Wed, 19 Oct 2005 19:08:53 -0400 From: Paul Drake To: stellr@cns.vt.edu Subject: Re: Litchfield on October patch Cc: oracle-l In-Reply-To: <20051019225736.GC16257@locust.cns.vt.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by Ecartis Content-Disposition: inline References: <20051019225736.GC16257@locust.cns.vt.edu> X-archive-position: 27228 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: bdbafh@gmail.com Precedence: normal Reply-To: bdbafh@gmail.com X-list: oracle-l X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at avenirtech.net X-mailscan-MailScanner-Information: Please contact the ISP for more information X-mailscan-MailScanner: Found to be clean X-MailScanner-From: oracle-l-bounce@freelists.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on air891.startdedicated.com X-Spam-Level: X-Spam-Status: No, hits=-3.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 On 10/19/05, Ray Stell wrote: > from bugtraq: > > Having downloaded and given the Oracle October patch a cursory examination, > some of the flaws Oracle told me were being fixed, remain exploitable. Once > again the patch is not sufficient. I will conduct a full investigation of > the patch over the coming few days and post some recommendations once > complete. Incidently, it's good to see that the NGS Disclosure policy of not > publicly releasing details of the flaws "fixed" seems to work as a useful > fail safe mechanism. > > More to follow... > Cheers, > David Litchfield > NGSSoftware Ltd > http://www.ngssoftware.com/ > ====================================================================== > Ray Stell stellr@vt.edu (540) 231-4109 Tempus fugit 28^D > -- > http://www.freelists.org/webpage/oracle-l This one will knock out vulnerabilities DB [17-25]: Steps for Manual De-installation of Oracle Spatial http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=179472.1 Basically, the schema mdsys is created by default in a dbca db, even if the spatial option is not being installed. In theory, the following: SQL> drop user spatial cascade; should do the trick. The referenced doc was for 9i and not apparently updated for 10g. As always, test on a destructo box first. Paul -- http://www.freelists.org/webpage/oracle-l