RE: Litchfield on October patch

• To: <Rich.Jesse@xxxxxxxxxxxxxxxxx>, <bdbafh@xxxxxxxxx>, <stellr@xxxxxxxxxx>
• Date: Thu, 20 Oct 2005 10:54:12 -0400

Exactly.  DBCA is a beast that should be put to sleep.  It cruds the
database up with stuff that you don't need, and that Oracle wants to
charge you for.  We never use it.

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jesse, Rich
Sent: Thursday, October 20, 2005 10:49 AM
To: bdbafh@xxxxxxxxx; stellr@xxxxxxxxxx
Cc: oracle-l
Subject: RE: Litchfield on October patch

Better yet, just don't use the dbca.

Rich

"E-vil.  Like the fru-its of the dev-il, E-vil."
 -- Charley Mackenzie, So I Married An Axe Murderer

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Paul Drake
Sent: Wednesday, October 19, 2005 6:09 PM
To: stellr@xxxxxxxxxx
Cc: oracle-l
Subject: Re: Litchfield on October patch


On 10/19/05, Ray Stell <stellr@xxxxxxxxxx> wrote:
> from bugtraq:
>
> Having downloaded and given the Oracle October patch a cursory
examination,
> some of the flaws Oracle told me were being fixed, remain exploitable.
Once
> again the patch is not sufficient. I will conduct a full investigation
of
> the patch over the coming few days and post some recommendations once
> complete. Incidently, it's good to see that the NGS Disclosure policy
of not
> publicly releasing details of the flaws "fixed" seems to work as a
useful
> fail safe mechanism.
>
>   More to follow...
>   Cheers,
>   David Litchfield
>   NGSSoftware Ltd
>   http://www.ngssoftware.com/
> ======================================================================
> Ray Stell       stellr@xxxxxx   (540) 231-4109  Tempus fugit      28^D
> --
> http://www.freelists.org/webpage/oracle-l

This one will knock out vulnerabilities DB [17-25]:
Steps for Manual De-installation of Oracle Spatial
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_d
atabase_id=NOT&p_id=179472.1

Basically, the schema mdsys is created by default in a dbca db, even
if the spatial option is not being installed. In theory, the
following:

SQL> drop user spatial cascade;

should do the trick.
The referenced doc was for 9i and not apparently updated for 10g.

As always, test on a destructo box first.

Paul
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: Litchfield on October patch
    • From: Ray Stell

Other related posts:

• » Litchfield on October patch
• » Re: Litchfield on October patch
• » RE: Litchfield on October patch
• » RE: Litchfield on October patch
• » Re: Litchfield on October patch
• » RE: Litchfield on October patch
• » Re: Litchfield on October patch
• » Re: Litchfield on October patch
• » RE: Litchfield on October patch
• » Re: Litchfield on October patch
• » RE: Litchfield on October patch
• » RE: Litchfield on October patch
• » RE: Litchfield on October patch

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription