Re: List of security issues/fixes for Oracle 9i R1 & R2

Pete Finnigan <pete_at_peterfinnigan.demon.co.uk> wrote in message news:<l0Mhy0Ah7vN+Ew$l_at_peterfinnigan.demon.co.uk>...
> Hi Joe
>
> All of the security alerts that Oracle have acknowledged and released
> patches or workarounds for have advisories posted to http://otn.oracle.c
> om/deploy/security/alerts.htm. There is a subscriber list also at the
> same site. You need a free user account creating.
>
> I have just written a book for the SANS Institute with the help of some
> of the guys who contribute to this list. It is called "Oracle security
> step-by-step (A survival guide to Oracle security)". Its a list of known
> configuration issues and default installation issues and for each issue
> there are checks to perform and actions to take. see
> http://store.sans.org for details.

Hi, Pete,

I didn't read your articles or books yet. I hope you included criticism on some Oracle-supplied shell scripts that require password to be passed as a command line argument. For one of many examples, the Oracle Portal ssodatan script needs -p portal_password and -d sso_password. I imagine if the scripts came from Sun or HP, the authors might have done some terminal trick to not display the password.

Yong Huang Received on Wed Jan 29 2003 - 13:34:30 CST