So, the October surprise is that the holes are really closed, cool! Litchfield described earlier: "Some of Oracle's "fixes" simply attempt to stop the example exploits I sent them for reprodcution purposes. In other words the actual flaw was not addressed and with a slight modification to the exploit it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself." http://en.wikipedia.org/wiki/October_Surprise On Thu, Oct 20, 2005 at 10:54:12AM -0400, oracle-l-bounce@xxxxxxxxxxxxx wrote: > Exactly. DBCA is a beast that should be put to sleep. It cruds the > database up with stuff that you don't need, and that Oracle wants to > charge you for. We never use it. > > -----Original Message----- > From: oracle-l-bounce@xxxxxxxxxxxxx > [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jesse, Rich > Sent: Thursday, October 20, 2005 10:49 AM > To: bdbafh@xxxxxxxxx; stellr@xxxxxxxxxx > Cc: oracle-l > Subject: RE: Litchfield on October patch > > Better yet, just don't use the dbca. > > Rich > > "E-vil. Like the fru-its of the dev-il, E-vil." > -- Charley Mackenzie, So I Married An Axe Murderer > > -----Original Message----- > From: oracle-l-bounce@xxxxxxxxxxxxx > [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Paul Drake > Sent: Wednesday, October 19, 2005 6:09 PM > To: stellr@xxxxxxxxxx > Cc: oracle-l > Subject: Re: Litchfield on October patch > > > On 10/19/05, Ray Stell <stellr@xxxxxxxxxx> wrote: > > from bugtraq: > > > > Having downloaded and given the Oracle October patch a cursory > examination, > > some of the flaws Oracle told me were being fixed, remain exploitable. > Once > > again the patch is not sufficient. I will conduct a full investigation > of > > the patch over the coming few days and post some recommendations once > > complete. Incidently, it's good to see that the NGS Disclosure policy > of not > > publicly releasing details of the flaws "fixed" seems to work as a > useful > > fail safe mechanism. > > > > More to follow... > > Cheers, > > David Litchfield > > NGSSoftware Ltd > > http://www.ngssoftware.com/ > > ====================================================================== > > Ray Stell stellr@xxxxxx (540) 231-4109 Tempus fugit 28^D > > -- > > //www.freelists.org/webpage/oracle-l > > This one will knock out vulnerabilities DB [17-25]: > Steps for Manual De-installation of Oracle Spatial > http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_d > atabase_id=NOT&p_id=179472.1 > > Basically, the schema mdsys is created by default in a dbca db, even > if the spatial option is not being installed. In theory, the > following: > > SQL> drop user spatial cascade; > > should do the trick. > The referenced doc was for 9i and not apparently updated for 10g. > > As always, test on a destructo box first. > > Paul > -- > //www.freelists.org/webpage/oracle-l > -- > //www.freelists.org/webpage/oracle-l > -- > //www.freelists.org/webpage/oracle-l -- ====================================================================== Ray Stell stellr@xxxxxx (540) 231-4109 Tempus fugit 28^D -- //www.freelists.org/webpage/oracle-l