Re: Litchfield on October patch
- From: Paul Drake <bdbafh@xxxxxxxxx>
- To: stellr@xxxxxxxxxx
- Date: Wed, 19 Oct 2005 19:08:53 -0400
On 10/19/05, Ray Stell <stellr@xxxxxxxxxx> wrote:
> from bugtraq:
>
> Having downloaded and given the Oracle October patch a cursory examination,
> some of the flaws Oracle told me were being fixed, remain exploitable. Once
> again the patch is not sufficient. I will conduct a full investigation of
> the patch over the coming few days and post some recommendations once
> complete. Incidently, it's good to see that the NGS Disclosure policy of not
> publicly releasing details of the flaws "fixed" seems to work as a useful
> fail safe mechanism.
>
> More to follow...
> Cheers,
> David Litchfield
> NGSSoftware Ltd
> http://www.ngssoftware.com/
> ======================================================================
> Ray Stell stellr@xxxxxx (540) 231-4109 Tempus fugit 28^D
> --
> //www.freelists.org/webpage/oracle-l
This one will knock out vulnerabilities DB [17-25]:
Steps for Manual De-installation of Oracle Spatial
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=179472.1
Basically, the schema mdsys is created by default in a dbca db, even
if the spatial option is not being installed. In theory, the
following:
SQL> drop user spatial cascade;
should do the trick.
The referenced doc was for 9i and not apparently updated for 10g.
As always, test on a destructo box first.
Paul
--
//www.freelists.org/webpage/oracle-l
Other related posts:
