FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server (fwd)

Nick Lewis lewisnic@egr.msu.edu
Wed, 1 Mar 2000 12:59:44 -0500 

It's all platforms that runs MySQL. You will need to update to 3.22.32
or 3.23.11. Thanks. Nick.

Nick Lewis
DECS
HA! I laugh in the face of free time!
http://www.sciencetheatre.org
----- Original Message -----
From: Edward Glowacki <glowack2@key-largo.cl.msu.edu>
To: Linux User's Group <linux-user@egr.msu.edu>
Sent: Wednesday, March 01, 2000 12:42 PM
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server
(fwd)


> I'm not sure if this bug applies to FreeBSD+MySQL or if it applies
to all
> platforms and MySQL, so I thought I'd pass it on in case anyone on
the
> list uses MySQL.
>
> --
> Edward Glowacki glowack2@msu.edu
>
> ---------- Forwarded message ----------
> Date: Mon, 28 Feb 2000 21:26:46 -0800
> From: FreeBSD Security Officer <security-officer@freebsd.org>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
======================================================================
=======
> FreeBSD-SA-00:05                                           Security
Advisory
>
FreeBSD, Inc.
>
> Topic:          MySQL allows bypassing of password authentication
>
> Category:       ports
> Module:         mysql322-server
> Announced:      2000-02-28
> Affects:        Ports collection before the correction date.
> Corrected:      2000-02-15
> FreeBSD only:   NO
>
> I.   Background
>
> MySQL is a popular SQL database client/server distributed as part of
the
> FreeBSD ports collection.
>
> II.  Problem Description
>
> The MySQL database server (versions prior to 3.22.32) has a flaw in
the
> password authentication mechanism which allows anyone who can
connect to
> the server to access databases without requiring a password, given a
valid
> username on the database - in other words, the normal password
> authentication mechanism can be completely bypassed.
>
> MySQL is not installed by default, nor is it "part of FreeBSD" as
such: it
> is part of the FreeBSD ports collection, which contains over 3100
> third-party applications in a ready-to-install format.
>
> FreeBSD makes no claim about the security of these third-party
> applications, although an effort is underway to provide a security
audit
> of the most security-critical ports.
>
> III. Impact
>
> The successful attacker will have all of the access rights of that
> database user and may be able to read, add or modify records.
>
> If you have not chosen to install the mysql322-server port/package,
then
> your system is not vulnerable.
>
> IV.  Workaround
>
> Use appropriate access-control lists to limit which hosts can
initiate
> connections to MySQL databases - see:
>
> http://www.mysql.com/Manual_chapter/manual_Privilege_system.html
>
> for more information. If unrestricted remote access to the database
is not
> required, consider using ipfw(8) or ipf(8), or your network
perimeter
> firewall, to prevent remote access to the database from untrusted
machines
> (MySQL uses TCP port 3306 for network communication). Note that
users who
> have access to machines which are allowed to initiate database
connections
> (e.g. local users) can still exploit the security hole.
>
> V.   Solution
>
> One of the following:
>
> 1) Upgrade your entire ports collection and rebuild the
mysql322-server
> port.
>
> 2) Reinstall a new package obtained from:
>
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databas
es/mysql-server-3.22.32.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databa
ses/mysql-server-3.22.32.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/datab
ases/mysql-server-3.22.32.tgz
>
> 3) download a new port skeleton for the mysql322-server port from:
>
> http://www.freebsd.org/ports/
>
> and use it to rebuild the port.
>
> 4) Use the portcheckout utility to automate option (3) above. The
> portcheckout port is available in /usr/ports/devel/portcheckout or
the
> package can be obtained from:
>
>
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.
0.tgz
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D
> u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3
> SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng
> vzxtva695bI=
> =KYqf
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>