Search Results

Search found 1360 results on 55 pages for 'eric wang'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 4/55 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • "failed to download package files" in VirtualBox with 11.04 and 11.10

    - by wang.xueqiang
    After I installed Ubuntu 11.04/11.10 in VirtualBox in Windows 7, I cannot update any software with the error message "failed to download package files". After having googled, I have tried: sudo apt-get update sudo apt-get upgrade changed to another sources But I still got the same error message. And there is no problem with internet connection as i can connect to internet using Firefox in Ubuntu. Any ideas?

    Read the article

  • June 2012 Critical Patch Update for Java SE Released

    - by Eric P. Maurice
    Hi, this is Eric Maurice. Oracle just released the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update provides 14 new security fixes across Java SE products.  As discussed in previous blog entries, Critical Patch Updates for Java SE will, for the foreseeable future, continue to be released on a separate schedule than that of other Oracle products due to previous commitments made to Java customers.  12 of the 14 Java SE vulnerabilities fixed in this Critical Patch Update may be remotely exploitable without authentication.  6 of these vulnerabilities have a CVSS Base Score of 10.0.  In accordance with Oracle’s policies, these CVSS 10 scores represent instances where a user running a Java applet or Java Web Start application has administrator privileges (as is typical on Windows XP).  When the user does not run with administrator privileges (typical on the Solaris and Linux operating systems), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability for these vulnerabilities would be "Partial" instead of "Complete", thus lowering these CVSS Base Scores to 7.5. Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible: Developers should download the latest release at http://www.oracle.com/technetwork/java/javase/downloads/index.html    Java users should download the latest release of JRE at http://java.com, and of course  Windows users can take advantage of the Java Automatic Update to get the latest release. In addition, Oracle recommends removing old an unused versions  of Java as the latest version is always the recommended version as it contains the most recent enhancements, and bug and security fixes.  For more information: •Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml  •Users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp   •The Advisory for the June 2012 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

    Read the article

  • How to set up VirtualBox Bridged Network on Windows 7 Host?

    - by Tong Wang
    I have virtualbox running on a Windows 2008 server, with a guest running ubuntu 10.04. The ubuntu guest is given a static IP of 192.168.1.4, which also has openssh installed. The guest has bridged network setup, I can ping 192.168.1.4 from any machine in the LAN, the ubuntu guest can also access the LAN. However, when I try to PuTTY into the ubuntu machine, I always get "connection refused". Below are some setup details: ubuntu IP: 192.168.1.4 hosts.allow sshd : 192.168.1.38 hosts.deny ALL : ALL when I the following command, I can see that sshd is listening on port 22: lsof -i tcp:22 Any idea? EDIT: It turned out to be a wrong VirtualBox Bridged Network setup. I give the Ubuntu guest a static IP of 192.168.1.4 (assigned to eth0). Then in the Windows 7 host, in the Network and Sharing Center, there is a new connection named "VirtualBox Host-Only Network" after the bridge is setup, that connection is again given the same static IP of 192.168.1.4. Once I change the "VirtualBox Host-Only Network" to automatically obtain an IP address, it's getting a different IP address of 169.254.249.70(Tentative). And now I can SSH into 192.168.1.4 with no problem, even without touching hosts.allow and hosts.deny. I've also noticed that in the properties windows (see screenshot below) of the "VirtualBox Host-Only Network", the second checkbox, "VirtualBox Bridged Networking Driver" is unchecked. While the same checkbox of the physical NIC (that is bridged to) is checked. So my further question is: is this how VBox bridged networking supposed to be setup? Any rationale behind this? I'd appreciate if someone could provide some explaination on VBox bridged networking setup on Windows host and I'll accept it as an answer.

    Read the article

  • Multiple Java EE Agents on Single Managed Server

    - by tina.wang
    A default JEE agent is created when you create domain, which is named as OracleDIAgent. 1. In Studio, duplicate the agent, change its name to genAgent, change the web application context to genagent. 2: Go to datasource of genAgent, drop all datasources.3: Generate server template. put the jar file under odi\common\templates\wls 4: Deploy this template by update the existing domain. Bring up the config.cmd, choose update existing domain. 5: Update the domain using the template that just generated. Go through the Configuration wizard. (I did not modify anything or configure anything here). 6: The wizard will give information says the deployment was successful. 7: Bring up the admin server and ODI_server1. 

    Read the article

  • My Oracle Suport?????

    - by Dongwei Wang
    ????????????????,??????MOS???????(????),????????????????????????????:Note 62143.1 - Troubleshooting: Tuning the Shared Pool and Tuning Library Cache Latch ContentionNote 376442.1 - * How To Collect 10046 Trace (SQL_TRACE) Diagnostics for Performance IssuesNote 749227.1 - * How to Gather Optimizer Statistics on 11gNote 1359094.1 - FAQ: How to Use AWR reports to Diagnose Database Performance IssuesNote 1320966.1 - Things to Consider Before Upgrading to 11.2.0.2 to Avoid Poor Performance or Wrong ResultsNote 1392633.1 - Things to Consider Before Upgrading to 11.2.0.3 to Avoid Poor Performance or Wrong Results????????????????”??“???,?????????????????(PDF??)???????????????”Rate this document“????

    Read the article

  • Where to purchase an unlocked HTC Incredible or EVO 4G

    - by Eric
    Hello, Is it possible to buy an HTC EVO 4G (preferably), or the Droid Incredible (second choice) from a vendor whereby the phone is unlocked without a cellular plan? I just want to get a phone to test my Android app on over the built-in WiFi (for now). Please advise. Finally, does anyone know of a phone coming out in the next couple of weeks that is faster (hardware-wise) than the EVO 4G? Thank You! Eric

    Read the article

  • Hardware Mediaplayer display

    - by Eric Audio
    I'm looking for a keyboard or just a little display to attach on my keyboard or something like that, what will show me the music tracks i'm playing in windowsmedia player, itunes, etc. I did some research and the only thing I found are gaming keyboards, but i'm not shure if these show my music tracks. So my question: Does somebody knows a keyboard who show the music tracks or just a little display? Bye, Eric

    Read the article

  • April 2010 Critical Patch Update Released

    - by eric.maurice
    Hi, this is Eric Maurice. Today Oracle released the April 2010 Critical Patch Update (CPUApr2010),the first one to include security fixes for Oracle Solaris. Today's Critical Patch Update (CPU) provides 47 new security fixes across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Life Sciences, Retail, and Communications Industry Suites, and Oracle Solaris. 28 of these 47 new vulnerabilities are remotely exploitable without authentication, but the criticality of the affected components and the severity of these vulnerabilities vary greatly. Customers should, as usual, refer to the Risk Matrices in the CPU Advisory to assess the relevance of these fixes for their environment (and the urgency with which to apply the fixes). 7 of the 47 new vulnerabilities affect various versions of Oracle Database Server. None of these 7 vulnerabilities are remotely exploitable without authentication. Furthermore, none of these fixes are applicable to client-only deployments. The most severe CVSS Base Score for the Database Server vulnerabilities is 7.1. As a reminder, information about Oracle's use of the CVSS 2.0 standard can be found in Note 394487.1 (My Oracle Support subscription required). Note that this Critical Patch Update includes fixes for vulnerabilities that were publicly disclosed by David Litchfield at the BlackHat DC Conference in early February (CVE-2010-0866 and CVE-2010-0867). 5 of the 47 new vulnerabilities affect various components of the Oracle Fusion Middleware product family. The highest CVSS Base Score for these vulnerabilities is 7.5. Note that the patches for Oracle WebLogic Server are cumulative and this Critical Patch Update therefore also includes a fix for a vulnerability (CVE-2010-0073) that was the subject of a Security Alert issued by Oracle on February 4, 2010. Customers, who have not applied the previously-released patch, should apply today's Critical Patch Update as soon as possible. As stated at the beginning of this blog, it is also noteworthy to highlight that this Critical Patch Update provides 16 new fixes for the Sun product line. With the recent close of the Sun acquisition both security organizations have worked diligently to align Sun's previous security practices with Oracle's. Java users know that Oracle released a Critical Patch Update for Java SE and Java For Business earlier this month (in accordance with the Java patching schedule previously published by Sun Microsystems). Please note that for the first time, the Java advisories included CVSS Scores to help assess the severity of the new vulnerabilities fixed with the advisory. The rapid inclusion of the Solaris product lines in the Critical Patch Update and the extension of Oracle Software Security Assurance to Sun technologies are evidence of the flexibility of Oracle's security assurance programs. These should also result in tangible security benefits for the users of the Oracle hardware and software stack (such as a predictable patching schedule for all Oracle products).

    Read the article

  • February 2011 Java SE and Java for Business Critical Patch Update Released

    - by eric.maurice
    Hello, this is Eric Maurice again. Oracle released the February 2011 Critical Patch Update for Java SE and Java for Business today. As discussed in a previous blog entry, Oracle currently maintains a separate Critical Patch Update schedule for Java SE and Java for Business because of commitments made prior to the Oracle acquisition in regards to the timing for the publication of Java fixes. Today's Java Critical Patch Update includes fixes for 21 vulnerabilities. The most severe CVSS Base Score for vulnerabilities fixed in this CPU is 10.0, and this Base Score affects 8 vulnerabilities. Out of these 21 vulnerabilities, 13 affect Java client deployments. 12 of these 13 vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, which run in the Java sandbox with limited privileges. One of these 13 vulnerabilities can be exploited by running a standalone application. In addition, one of the client vulnerability affects Java Update, a Windows-specific component. 3 of the 21 vulnerabilities affect client and server deployments. These vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, as well as be exploited by supplying malicious data to APIs in the specified components, such as, for example, through a web service. 3 vulnerabilities affect Java server deployments only. These vulnerabilities can be exploited by supplying malicious data to APIs in the specified Java components. Note that one of these vulnerabilities (CVE-2010-4476) was the subject of a Security Alert released on February 8th. Finally, one of these vulnerabilities is specific to Java DB, a component in the Java JDK, but not included in the Java Runtime Environment (JRE). As usual, because of the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that Java customers apply it as soon as possible. The Critical Patch Advisory provides more details about the vulnerabilities addressed in the Critical Patch Update as well as instructions on how to install the fixes and where to get them. Home users should use the Java auto-update mechanism to install the latest version of the Java Runtime Environment 6 update 24 or higher (JRE), which includes the fix for this vulnerability. For More Information: The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html Consumers can go to http://www.java.com/en/download/installed.jsp to ensure that they have the latest version of Java running on their desktops. More information on Java Update is available at http://www.java.com/en/download/help/java_update.xml

    Read the article

  • Security Alert for CVE-2012-4681 Released

    - by Eric P. Maurice
    Hi, this is Eric Maurice again! Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers.  These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547.  These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software. Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0.  This score assumes that the affected users have administrative privileges, as is typical in Windows XP.  Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit. If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system.  Note that this malware may in some instances be detected by current antivirus signatures upon its installation.  Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible.  Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.    Developers should download the latest release at http://www.oracle.com/technetwork/java/javase/downloads/index.html   Java users should download the latest release of JRE at http://java.com, and of course   Windows users can take advantage of the Java Automatic Update to get the latest release. For more information: The Advisory for Security Alert CVE-2012-4681 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html  Users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp    Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml   

    Read the article

  • HTML5Rocks Live, Episode 1

    HTML5Rocks Live, Episode 1 In this episode of HTML5Rocks Live, Boris, Eric and Paul join us to show some great new libraries and performance tips. Please leave your comments on our plus page at goo.gl In the first chapter, Paul shows how to use some of Chrome's new developer tools to understand how things are rendering and get improved performance. In the second chapter (21:25), Boris shows off his new device.js library to help make development of mobile web applications and sites easier. Eric closes the hangout (40:00) and talks about his new file system API polyfill that uses indexed db as it's back end. 02:15 Scroll Effects Demo goo.gl 23:04 - Media Queries Site goo.gl 24:15 - WURFL goo.gl 26:40 - Boris' Device Library goo.gl 29:28 - Device.js Demo goo.gl 33:25 - Bug to add touch-enabled media query to Chrome, please star goo.gl 35:00 - Chrome's DevTools for Mobile Development 38:56 - Paul Irish's Touch Demos goo.gl 40:43 - File System API Book goo.gl 43:10 - Eric's idb.filesystem.js goo.gl 44:27 - idb.filesystem HTML5 File System Demo goo.gl 47:33 - HTML5 Filesystem Playground goo.gl From: GoogleDevelopers Views: 12239 221 ratings Time: 52:29 More in Science & Technology

    Read the article

  • Ubuntu 12.10 unmet dependencies

    - by John
    I have Ubuntu 12.10 with 3.2.0.24-generic #39-Ubuntu running on a Dell Inspiron 700m laptop. I have unmet dependencies as follows: root@John-700m:/home/John# sudo apt-get remove --purge linux-image-3.5.0-{18,27,31,34}-generic Reading package lists... Done Building dependency tree Reading state information... Done Package 'linux-image-3.5.0-18-generic' is not installed, so not removed Package 'linux-image-3.5.0-27-generic' is not installed, so not removed Package 'linux-image-3.5.0-31-generic' is not installed, so not removed Package 'linux-image-3.5.0-34-generic' is not installed, so not removed You might want to run 'apt-get -f install' to correct these: The following packages have unmet dependencies: linux-generic : Depends: linux-image-generic but it is not going to be installed linux-image-extra-3.5.0-18-generic : Depends: linux-image-3.5.0-18-generic but it is not going to be installed linux-image-extra-3.5.0-27-generic : Depends: linux-image-3.5.0-27-generic but it is not going to be installed linux-image-extra-3.5.0-31-generic : Depends: linux-image-3.5.0-31-generic but it is not going to be installed linux-image-extra-3.5.0-34-generic : Depends: linux-image-3.5.0-34-generic but it is not going to be installed E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution). I tried to remove the packages, but I still get the same error message. Any help would certainly be appreciated. @Eric, well noted. Here is the reults: model name : Intel(R) Pentium(R) M processor 1.60GHz flags : fpu vme de pse tsc msr mce cx8 mtrr pge mca cmov clflush dts acpi mmx fxsr sse sse2 ss tm pbe up bts est tm2 Thanks again. @Eric, If I need to downgrade to Ubuntu 12.04 from 12.10, can I do it without having to mess my current partition or files? I also have Windows XP running on the machine. Best. @Eric, if you are online, I could use your help (or anybody's else). I installed the package for non-pae unit and I still get the same error. Any suggestions? Thanks

    Read the article

  • Podcast Show Notes: By Any Other Name: Governance and Architecture

    - by Bob Rhubart
    The OTN ArchBeat Podcast returns from a brief summer hiatus with a three-part conversation about IT architecture and governance. My guests for this conversation are Eric Stephens , an Oracle Enterprise architect and a frequent guest on this program. Joining Eric on the panel is Tim Hall , Senior Director of product management for the Oracle Enterprise Repository, Oracle Service Registry, and Oracle Application Integration Architecture. Tim made his first appearance on ArchBeat as panelist on the recent program featuring Thomas Erl. The Conversation Listen to Part 1:Why it's important to revive the dormant conversation about IT governance. Listen to Part 2 (Sept 19): Balancing functional, technical, operational requirements to meet the challenge of defining appropriate governance "guardrails." Listen to Part 3 (Sept 26): Bringing IT architecture out of the ivory tower to make governance a less intimidating, more collaborative process. Additional Resources Leveraging Governance to Sustain Enterprise Architecture Efforts, an Oracle white paper by Eric Stephens. SOA, Cloud, and Service Technologies, a transcript of an ArchBeat interview with Thomas Erl, Tim Hall, and Demed L'Her, in which Tim says the following about governance: "For a long time people have argued that SOA governance is sort of an awkward name, no one wanted to be audited. There's 50% of the world that think, yes, we're going to have to tops down initiative to address this and there's 50% of the world that says that it feels like a heavy weight process that I want no part of. So what I think we should do is change the name…"

    Read the article

  • divert asp.net child controls

    - by Eric
    Hi Folks, I am trying to create an asp.net custom control that acts as a hosting container for any other controls, similar to the existing ‘Panel’ control. Basically, I need to build a web control that groups a bunch of other controls. It will consist of a header and a body pane, similar to a normal window in desktop application. The header will contain some simple text and some JavaScript driven code that shows/hides the body pane. The body pane simply hosts any number of other controls. +------------------------------------------------------+ | User Details Show/Hide | +------------------------------------------------------+ | Name: [Eric ] | | Address: [Some where] | | Date of Birth: [01/01/1980] | | | | (any other fields goes on) | | | | | +------------------------------------------------------+ Ideally I want to create a control that packs the whole thing together, so at design time I could use the following markup. <myCtl:SuperContainer runat=”server” Title=”User Details”> <asp:label id=”lblName” runat=”server” text=”Name:”/> <asp:textbox id=”txtName” runat=”server”/> <asp:label id=”lblDOB” runat=”server” text=”Date of Birth:”/> <asp:textbox id=”txtDOB” runat=”server”/> (…other controls definition…) </myCtl:SuperContainer> I plan to include two panels in my control, one for the header and another one for the body, but as you can see, the key issue is to find a way to ‘divert’ the child controls that are defined in the markup to the body panel, instead of the default parent container. I feel it can be some how simply override (manipulate) the control property, but don’t know how to properly do so. Can any one give some idea about how to implement this ‘SuperContainer’ control? Many thank, Eric

    Read the article

  • Get filename from path

    - by Eric
    I am trying to parse the filename from paths. I have this: my $filepath = "/Users/Eric/Documents/foldername/filename.pdf"; $filepath =~ m/^.*\\(.*[.].*)$/; print "Linux path:"; print $1 . "\n\n"; print "-------\n"; my $filepath = "c:\\Windows\eric\filename.pdf"; $filepath =~ m/^.*\\(.*[.].*)$/; print "Windows path:"; print $1 . "\n\n"; print "-------\n"; my $filepath = "filename.pdf"; $filepath =~ m/^.*\\(.*[.].*)$/; print "Without path:"; print $1 . "\n\n"; print "-------\n"; But that returns: Linux path: ------- Windows path:Windowsic ilename.pdf ------- Without path:Windowsic ilename.pdf ------- I am expecting this: Linux path: filename.pdf ------- Windows path: filename.pdf ------- Without path: filename.pdf ------- Can somebody please point out what I am doing wrong? Thanks! :)

    Read the article

  • How can I get a filename from a path with Perl?

    - by Eric
    I am trying to parse the filename from paths. I have this: my $filepath = "/Users/Eric/Documents/foldername/filename.pdf"; $filepath =~ m/^.*\\(.*[.].*)$/; print "Linux path:"; print $1 . "\n\n"; print "-------\n"; my $filepath = "c:\\Windows\eric\filename.pdf"; $filepath =~ m/^.*\\(.*[.].*)$/; print "Windows path:"; print $1 . "\n\n"; print "-------\n"; my $filepath = "filename.pdf"; $filepath =~ m/^.*\\(.*[.].*)$/; print "Without path:"; print $1 . "\n\n"; print "-------\n"; But that returns: Linux path: ------- Windows path:Windowsic ilename.pdf ------- Without path:Windowsic ilename.pdf ------- I am expecting this: Linux path: filename.pdf ------- Windows path: filename.pdf ------- Without path: filename.pdf ------- Can somebody please point out what I am doing wrong? Thanks! :)

    Read the article

  • A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)

    - by eric.maurice
    Hi, this is Shaomin Wang. I am a security analyst in Oracle's Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Connection String Parameter Pollution (CSPP). Earlier this year, at the Black Hat DC 2010 Conference, two Spanish security researchers, Jose Palazon and Chema Alonso, unveiled a new class of security vulnerabilities, which target insecure dynamic connections between web applications and databases. The attack called Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). In today's blog, we are going to first look at what connection strings are and then review the different ways connection string injections can be leveraged by malicious hackers. We will then discuss how CSPP differs from traditional connection string injection, and the measures organizations can take to prevent this kind of attacks. In web applications, a connection string is a set of values that specifies information to connect to backend data repositories, in most cases, databases. The connection string is passed to a provider or driver to initiate a connection. Vendors or manufacturers write their own providers for different databases. Since there are many different providers and each provider has multiple ways to make a connection, there are many different ways to write a connection string. Here are some examples of connection strings from Oracle Data Provider for .Net/ODP.Net: Oracle Data Provider for .Net / ODP.Net; Manufacturer: Oracle; Type: .NET Framework Class Library: - Using TNS Data Source = orcl; User ID = myUsername; Password = myPassword; - Using integrated security Data Source = orcl; Integrated Security = SSPI; - Using the Easy Connect Naming Method Data Source = username/password@//myserver:1521/my.server.com - Specifying Pooling parameters Data Source=myOracleDB; User Id=myUsername; Password=myPassword; Min Pool Size=10; Connection Lifetime=120; Connection Timeout=60; Incr Pool Size=5; Decr Pool Size=2; There are many variations of the connection strings, but the majority of connection strings are key value pairs delimited by semicolons. Attacks on connection strings are not new (see for example, this SANS White Paper on Securing SQL Connection String). Connection strings are vulnerable to injection attacks when dynamic string concatenation is used to build connection strings based on user input. When the user input is not validated or filtered, and malicious text or characters are not properly escaped, an attacker can potentially access sensitive data or resources. For a number of years now, vendors, including Oracle, have created connection string builder class tools to help developers generate valid connection strings and potentially prevent this kind of vulnerability. Unfortunately, not all application developers use these utilities because they are not aware of the danger posed by this kind of attacks. So how are Connection String parameter Pollution (CSPP) attacks different from traditional Connection String Injection attacks? First, let's look at what parameter pollution attacks are. Parameter pollution is a technique, which typically involves appending repeating parameters to the request strings to attack the receiving end. Much of the public attention around parameter pollution was initiated as a result of a presentation on HTTP Parameter Pollution attacks by Stefano Di Paola and Luca Carettoni delivered at the 2009 Appsec OWASP Conference in Poland. In HTTP Parameter Pollution attacks, an attacker submits additional parameters in HTTP GET/POST to a web application, and if these parameters have the same name as an existing parameter, the web application may react in different ways depends on how the web application and web server deal with multiple parameters with the same name. When applied to connections strings, the rule for the majority of database providers is the "last one wins" algorithm. If a KEYWORD=VALUE pair occurs more than once in the connection string, the value associated with the LAST occurrence is used. This opens the door to some serious attacks. By way of example, in a web application, a user enters username and password; a subsequent connection string is generated to connect to the back end database. Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; In the password field, if the attacker enters "xxx; Integrated Security = true", the connection string becomes, Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; Intergrated Security = true; Under the "last one wins" principle, the web application will then try to connect to the database using the operating system account under which the application is running to bypass normal authentication. CSPP poses serious risks for unprepared organizations. It can be particularly dangerous if an Enterprise Systems Management web front-end is compromised, because attackers can then gain access to control panels to configure databases, systems accounts, etc. Fortunately, organizations can take steps to prevent this kind of attacks. CSPP falls into the Injection category of attacks like Cross Site Scripting or SQL Injection, which are made possible when inputs from users are not properly escaped or sanitized. Escaping is a technique used to ensure that characters (mostly from user inputs) are treated as data, not as characters, that is relevant to the interpreter's parser. Software developers need to become aware of the danger of these attacks and learn about the defenses mechanism they need to introduce in their code. As well, software vendors need to provide templates or classes to facilitate coding and eliminate developers' guesswork for protecting against such vulnerabilities. Oracle has introduced the OracleConnectionStringBuilder class in Oracle Data Provider for .NET. Using this class, developers can employ a configuration file to provide the connection string and/or dynamically set the values through key/value pairs. It makes creating connection strings less error-prone and easier to manager, and ultimately using the OracleConnectionStringBuilder class provides better security against injection into connection strings. For More Information: - The OracleConnectionStringBuilder is located at http://download.oracle.com/docs/cd/B28359_01/win.111/b28375/OracleConnectionStringBuilderClass.htm - Oracle has developed a publicly available course on preventing SQL Injections. The Server Technologies Curriculum course "Defending Against SQL Injection Attacks!" is located at http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm - The OWASP web site also provides a number of useful resources. It is located at http://www.owasp.org/index.php/Main_Page

    Read the article

  • October 2012 Critical Patch Update and Critical Patch Update for Java SE Released

    - by Eric P. Maurice
    Hi, this is Eric Maurice. Oracle has just released the October 2012 Critical Patch Update and the October 2012 Critical Patch Update for Java SE.  As a reminder, the release of security patches for Java SE continues to be on a different schedule than for other Oracle products due to commitments made to customers prior to the Oracle acquisition of Sun Microsystems.  We do however expect to ultimately bring Java SE in line with the regular Critical Patch Update schedule, thus increasing the frequency of scheduled security releases for Java SE to 4 times a year (as opposed to the current 3 yearly releases).  The schedules for the “normal” Critical Patch Update and the Critical Patch Update for Java SE are posted online on the Critical Patch Updates and Security Alerts page. The October 2012 Critical Patch Update provides a total of 109 new security fixes across a number of product families including: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Customer Relationship Management (CRM), Oracle Industry Applications, Oracle FLEXCUBE, Oracle Sun products suite, Oracle Linux and Virtualization, and Oracle MySQL. Out of these 109 new vulnerabilities, 5 affect Oracle Database Server.  The most severe of these Database vulnerabilities has received a CVSS Base Score of 10.0 on Windows platforms and 7.5 on Linux and Unix platforms.  This vulnerability (CVE-2012-3137) is related to the “Cryptographic flaws in Oracle Database authentication protocol” disclosed at the Ekoparty Conference.  Because of timing considerations (proximity to the release date of the October 2012 Critical Patch Update) and the need to extensively test the fixes for this vulnerability to ensure compatibility across the products stack, the fixes for this vulnerability were not released through a Security Alert, but instead mitigation instructions were provided prior to the release of the fixes in this Critical Patch Update in My Oracle Support Note 1492721.1.  Because of the severity of these vulnerabilities, Oracle recommends that this Critical Patch Update be installed as soon as possible. Another 26 vulnerabilities fixed in this Critical Patch Update affect Oracle Fusion Middleware.  The most severe of these Fusion Middleware vulnerabilities has received a CVSS Base Score of 10.0; it affects Oracle JRockit and is related to Java vulnerabilities fixed in the Critical Patch Update for Java SE.  The Oracle Sun products suite gets 18 new security fixes with this Critical Patch Update.  Note also that Oracle MySQL has received 14 new security fixes; the most severe of these MySQL vulnerabilities has received a CVSS Base Score of 9.0. Today’s Critical Patch Update for Java SE provides 30 new security fixes.  The most severe CVSS Base Score for these Java SE vulnerabilities is 10.0 and this score affects 10 vulnerabilities.  As usual, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running a Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System.  Also, as is typical in the Critical Patch Update for Java SE, most of the vulnerabilities affect Java and Java FX client deployments only.  Only 2 of the Java SE vulnerabilities fixed in this Critical Patch Update affect client and server deployments of Java SE, and only one affects server deployments of JSSE.  This reflects the fact that Java running on servers operate in a more secure and controlled environment.  As discussed during a number of sessions at JavaOne, Oracle is considering security enhancements for Java in desktop and browser environments.  Finally, note that the Critical Patch Update for Java SE is cumulative, in other words it includes all previously released security fixes, including the fix provided through Security Alert CVE-2012-4681, which was released on August 30, 2012. For More Information: The October 2012 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html The October 2012 Critical Patch Update for Java SE advisory is located at http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html.  An online video about the importance of keeping up with Java releases and the use of the Java auto update is located at http://medianetwork.oracle.com/video/player/1218969104001 More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html  

    Read the article

  • #OOW 2012: Big Data and The Social Revolution

    - by Eric Bezille
    As what was saying Cognizant CSO Malcolm Frank about the "Futur of Work", and how the Business should prepare in the face of the new generation  not only of devices and "internet of things" but also due to their users ("The Millennials"), moving from "consumers" to "prosumers" :  we are at a turning point today which is bringing us to the next IT Architecture Wave. So this is no more just about putting Big Data, Social Networks and Customer Experience (CxM) on top of old existing processes, it is about embracing the next curve, by identifying what processes need to be improve, but also and more importantly what processes are obsolete and need to be get ride of, and new processes put in place. It is about managing both the hierarchical and structured Enterprise and its social connections and influencers inside and outside of the Enterprise. And this does apply everywhere, up to the Utilities and Smart Grids, where it is no more just about delivering (faster) the same old 300 reports that have grown over time with those new technologies but to understand what need to be looked at, in real-time, down to an hand full relevant reports with the KPI relevant to the business. It is about how IT can anticipate the next wave, and is able to answers Business questions, and give those capabilities in real-time right at the hand of the decision makers... This is the turning curve, where IT is really moving from the past decade "Cost Center" to "Value for the Business", as Corporate Stakeholders will be able to touch the value directly at the tip of their fingers. It is all about making Data Driven Strategic decisions, encompassed and enriched by ALL the Data, and connected to customers/prosumers influencers. This brings to stakeholders the ability to make informed decisions on question like : “What would be the best Olympic Gold winner to represent my automotive brand ?”... in a few clicks and in real-time, based on social media analysis (twitter, Facebook, Google+...) and connections link to my Enterprise data. A true example demonstrated by Larry Ellison in real-time during his yesterday’s key notes, where “Hardware and Software Engineered to Work Together” is not only about extreme performances but also solutions that Business can touch thanks to well integrated Customer eXperience Management and Social Networking : bringing the capabilities to IT to move to the IT Architecture Next wave. An example, illustrated also todays in 2 others sessions, that I had the opportunity to attend. The first session bringing the “Internet of Things” in Oil&Gaz into actionable decisions thanks to Complex Event Processing capturing sensors data with the ready to run IT infrastructure leveraging Exalogic for the CEP side, Exadata for the enrich datasets and Exalytics to provide the informed decision interface up to end-user. The second session showing Real Time Decision engine in action for ACCOR hotels, with Eric Wyttynck, VP eCommerce, and his Technical Director Pascal Massenet. I have to close my post here, as I have to go to run our practical hands-on lab, cooked with Olivier Canonge, Christophe Pauliat and Simon Coter, illustrating in practice the Oracle Infrastructure Private Cloud recently announced last Sunday by Larry, and developed through many examples this morning by John Folwer. John also announced today Solaris 11.1 with a range of network innovation and virtualization at the OS level, as well as many optimizations for applications, like for Oracle RAC, with the introduction of the lock manager inside Solaris Kernel. Last but not least, he introduced Xsigo Datacenter Fabric for highly simplified networks and storage virtualization for your Cloud Infrastructure. Hoping you will get ready to jump on the next wave, we are here to help...

    Read the article

  • Kinect losing tracked players with Beta2 SDK

    - by Eric B
    So i'm creating a game using the Beta2 SDK for Kinect. The issue i am having is that in the middle of gameplay if another person enters the Kinects FOV it stops tracking the player and will not track anyone else for several minutes. Same deal if the player leaves the FOV and reenters it. Here is what im using to detect players. void nui_SkeletonFrameReady(object sender, SkeletonFrameReadyEventArgs e) { int playersAlive = 0; // reset lists skeletons = new Dictionary<int, SkeletonData>(); //create a new list for skeletons menuSkeleton = new List<SkeletonData>(); initialPlayers = new Dictionary<float, SkeletonData>(); //create a new list for initialPlayers foreach (SkeletonData s in e.SkeletonFrame.Skeletons) //for each skeleton the kinect has detected { if (s.TrackingState == SkeletonTrackingState.Tracked) // players found { menuSkeleton.Add(s); if (initialized) // after initialization { skeletons.Add(s.TrackingID, s); } else // before initialization initialPlayers.Add(s.Joints[JointID.ShoulderCenter].Position.X, s); //if we are not initialized then add this player to the inital player list. playersAlive++; } } if (playersAlive == TOTAL_PLAYERS_ALLOWED) // If there is one player { if (!inMiniGame) // Before the game starts gameStart = DateTime.Now; // Reset initialization timer if (!initialized) // Before initialization // NOTE TO SELF I TOOK OUT && inMenu { InitializePlayers(); if (DateTime.Now.Subtract(gameStart).TotalMilliseconds > INITIALIZATION_WAIT_TIME) { initialized = true; // initialize timers from fixed starting time if (inMiniGame) //if the game has started { gamePause = gameStart; //TODO ERIC: Initialize any Timers Here } } } } } /// <summary> /// this function initializes the players adding them to a list /// and making one of the players the menu controller, for LIM we will need to change the code so that the /// game only recognizes and supports one player at a time /// variable names will need to be change as well. /// </summary> private void InitializePlayers() { List<float> initialPos = new List<float>(); // used to track starting positions players = new Dictionary<int, Player>(); foreach (float pos in initialPlayers.Keys) { initialPos.Add(pos); //add position of each inital player to list } float first = initialPos[0]; // left player first, right second Player player = new Player(initialPlayers[first].TrackingID, true); player.PlayerNumber = PLAYER_ONE; player.Skeleton = initialPlayers[first]; player.Specifics = new PlayerSpecifics(player.PlayerNumber); player.Specifics.PauseTimer = gameStart; players.Add(initialPlayers[first].TrackingID, player); menuController = initialPlayers[first].TrackingID; //menu controller is player 1 } This is a one player game. Also when the game starts Initialize is set to false, and gets set to true when i go from the games menu into the gameplay. So can anyone see any issues with this code block that would cause the kinect to lose players as they enter/exit the FOV? and not re-track them? Thank you for any help.

    Read the article

  • Take Advantage of Oracle's Ongoing Assurance Effort!

    - by eric.maurice
    Hi, this is Eric Maurice again! A few years ago, I posted a blog entry, which discussed the psychology of patching. The point of this blog entry was that a natural tendency existed for systems and database administrators to be reluctant to apply patches, even security patches, because of the fear of "breaking" the system. Unfortunately, this belief in the principle "if it ain't broke, don't fix it!" creates significant risks for organizations. Running systems without applying the proper security patches can greatly compromise the security posture of the organization because the security controls available in the affected system may be compromised as a result of the existence of the unfixed vulnerabilities. As a result, Oracle continues to strongly recommend that customers apply all security fixes as soon as possible. Most recently, I have had a number of conversations with customers who questioned the need to upgrade their highly stable but otherwise unsupported Oracle systems. These customers wanted to know more about the kind of security risks they were exposed to, by running obsolete versions of Oracle software. As per Oracle Support Policies, Critical Patch Updates are produced for currently supported products. In other words, Critical Patch Updates are not created by Oracle for product versions that are no longer covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. One statement used in each Critical Patch Update Advisory is particularly important: "We recommend that customers upgrade to a supported version of Oracle products in order to obtain patches. Unsupported products, releases and versions are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities." The purpose of this warning is to inform Oracle customers that a number of the vulnerabilities fixed in each Critical Patch Update may affect older versions of a specific product line. In other words, each Critical Patch Update provides a number of fixes for currently supported versions of a given product line (this information is listed for each bug in the Risk Matrices of the Critical Patch Update Advisory), but the unsupported versions in the same product line, while they may be affected by the vulnerabilities, will not receive the fixes, and are therefore vulnerable to attacks. The risk assumed by organizations wishing to remain on unsupported versions is amplified by the behavior of malicious hackers, who typically will attempt to, and sometimes succeed in, reverse-engineering the content of vendors' security fixes. As a result, it is not uncommon for exploits to be published soon after Oracle discloses vulnerabilities with the release of a Critical Patch Update or Security Alert. Let's consider now the nature of the vulnerabilities that may exist in obsolete versions of Oracle software. A number of severe vulnerabilities have been fixed by Oracle over the years. While Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update, it should be assumed that a number of the vulnerabilities fixed with the Critical Patch Update program do exist in unsupported versions (regardless of the product considered). The most severe vulnerabilities fixed in past Critical Patch Updates may result in full compromise of the targeted systems, down to the OS level, by remote and unauthenticated users (these vulnerabilities receive a CVSS Base Score of 10.0) or almost as critically, may result in the compromise of the affected systems (without compromising the underlying OS) by a remote and unauthenticated users (these vulnerabilities receive a CVSS Base Score of 7.5). Such vulnerabilities may result in complete takeover of the targeted machine (for the CVSS 10.0), or may result in allowing the attacker the ability to create a denial of service against the affected system or even hijacking or stealing all the data hosted by the compromised system (for the CVSS 7.5). The bottom line is that organizations should assume the worst case: that the most critical vulnerabilities are present in their unsupported version; therefore, it is Oracle's recommendation that all organizations move to supported systems and apply security patches in a timely fashion. Organizations that currently run supported versions but may be late in their security patch release level can quickly catch up because most Critical Patch Updates are cumulative. With a few exceptions noted in Oracle's Critical Patch Update Advisory, the application of the most recent Critical Patch Update will bring these products to current security patch level and provide the organization with the best possible security posture for their patch level. Furthermore, organizations are encouraged to upgrade to most recent versions as this will greatly improve their security posture. At Oracle, our security fixing policies state that security fixes are produced for the main code line first, and as a result, our products benefit from the mistakes made in previous version(s). Our ongoing assurance effort ensures that we work diligently to fix the vulnerabilities we find, and aim at constantly improving the security posture our products provide by default. Patch sets include numerous in-depth fixes in addition to those delivered through the Critical Patch Update and, in certain instances, important security fixes require major architectural changes that can only be included in new product releases (and cannot be backported through the Critical Patch Update program). For More Information: • Mary Ann Davidson is giving a webcast interview on Oracle Software Security Assurance on February 24th. The registration link for attending this webcast is located at http://event.on24.com/r.htm?e=280304&s=1&k=6A7152F62313CA09F77EBCEEA9B6294F&partnerref=EricMblog • A blog entry discussing Oracle's practices for ensuring the quality of Critical patch Updates can be found at http://blogs.oracle.com/security/2009/07/ensuring_critical_patch_update_quality.html • The blog entry "To patch or not to patch" is located at http://blogs.oracle.com/security/2008/01/to_patch_or_not_to_patch.html • Oracle's Support Policies are located at http://www.oracle.com/us/support/policies/index.html • The Critical Patch Update & Security Alert page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

    Read the article

  • how do I have a windows group automatically map a drive on connection?

    - by Eric Martin
    I have 3 different windows user groups. Each group needs to have a certain drive mapped, unique to that group. Is there a way to say x group maps to y drive every time they connect? If I put something in their start up, that's a lot of manual work. I am needing something that I have set per user group, if possible. If this is not feasible, is there another option? Thanks again for the help! Eric

    Read the article

  • Rogue program disabled access to Firefox's "Get add-ons" and "Extensions". How can I get them back?

    - by Eric
    After installing a program called "FreeFileViewer", the program disabled access to Firefox's "Get add-ons" and "Extensions" options. To make matters worse, it installed the Yahoo! toolbar that I now can't remove (because it disabled Firefox's options to do so). Please help. Any advice you can give me to restore these Firefox options would be greatly appreciated! BTW, I am running Firefox 15.0.1 on a Windows 7 machine. Thanks, in advance, for your help! -- Eric

    Read the article

  • How to Select Items in Dropdown in Selenium

    - by Marcus Gladir
    Firstly, I have been trying to get the dropdown from this web page: http://solutions.3m.com/wps/portal/3M/en_US/Interconnect/Home/Products/ProductCatalog/Catalog/?PC_Z7_RJH9U5230O73D0ISNF9B3C3SI1000000_nid=RFCNF5FK7WitWK7G49LP38glNZJXPCDXLDbl This is the code I have: import urllib2 from bs4 import BeautifulSoup import re from pprint import pprint import sys from selenium import common from selenium import webdriver import selenium.webdriver.support.ui as ui from boto.s3.key import Key import requests url = 'http://solutions.3m.com/wps/portal/3M/en_US/Interconnect/Home/Products/ProductCatalog/Catalog/?PC_Z7_RJH9U5230O73D0ISNF9B3C3SI1000000_nid=RFCNF5FK7WitWK7G49LP38glNZJXPCDXLDbl' element_xpath = '//*[@id="Component1"]' driver = webdriver.PhantomJS() driver.get(url) element = driver.find_element_by_xpath(element_xpath) element_xpath = '/option[@value="02"]' all_options = element.find_elements_by_tag_name("option") for option in all_options: print("Value is: %s" % option.get_attribute("value")) option.click() source = driver.page_source.encode('utf-8', 'ignore') driver.quit() source = str(source) soup = BeautifulSoup(source, 'html.parser') print soup What prints out is this: Traceback (most recent call last): File "../../../../test.py", line 58, in <module> Value is: XX main() File "../../../../test.py", line 46, in main option.click() File "/home/eric/dev/octocrawler-env/local/lib/python2.7/site-packages/selenium-2.33.0-py2.7.egg/selenium/webdriver/remote/webelement.py", line 54, in click self._execute(Command.CLICK_ELEMENT) File "/home/eric/dev/octocrawler-env/local/lib/python2.7/site-packages/selenium-2.33.0-py2.7.egg/selenium/webdriver/remote/webelement.py", line 228, in _execute return self._parent.execute(command, params) File "/home/eric/dev/octocrawler-env/local/lib/python2.7/site-packages/selenium-2.33.0-py2.7.egg/selenium/webdriver/remote/webdriver.py", line 165, in execute self.error_handler.check_response(response) File "/home/eric/dev/octocrawler-env/local/lib/python2.7/site-packages/selenium-2.33.0-py2.7.egg/selenium/webdriver/remote/errorhandler.py", line 158, in check_response raise exception_class(message, screen, stacktrace) selenium.common.exceptions.ElementNotVisibleException: Message: u'{"errorMessage":"Element is not currently visible and may not be manipulated","request":{"headers":{"Accept":"application/json","Accept-Encoding":"identity","Connection":"close","Content-Length":"81","Content-Type":"application/json;charset=UTF-8","Host":"127.0.0.1:51413","User-Agent":"Python-urllib/2.7"},"httpVersion":"1.1","method":"POST","post":"{\\"sessionId\\": \\"30e4fd50-f0e4-11e3-8685-6983e831d856\\", \\"id\\": \\":wdc:1402434863875\\"}","url":"/click","urlParsed":{"anchor":"","query":"","file":"click","directory":"/","path":"/click","relative":"/click","port":"","host":"","password":"","user":"","userInfo":"","authority":"","protocol":"","source":"/click","queryKey":{},"chunks":["click"]},"urlOriginal":"/session/30e4fd50-f0e4-11e3-8685-6983e831d856/element/%3Awdc%3A1402434863875/click"}}' ; Screenshot: available via screen And the weirdest most infuriating bit of it all is that sometimes it actually all works out. I have no clue what's going on here.

    Read the article

  • How to bypass AllowTCPFowarding=no by installing own forwarder?

    - by Eric B.
    In the man pages for sshd_config, for the AllowTCPForwarding option, it states: AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is “yes”. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. How do I install my own forwarder? I have a remote server in which I disabled TCPForwarding a long while ago. I would like to "enable" it for myself only, by using my own forwarder, while keeping the forwarding closed to the other users. I've looked around, but cannot seem to find the right pkgs to accomplish this. Can anyone please elaborate? Thanks! Eric

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >