FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server (fwd)
Nick Lewis
lewisnic@egr.msu.edu
Wed, 1 Mar 2000 12:59:44 -0500
It's all platforms that runs MySQL. You will need to update to 3.22.32
or 3.23.11. Thanks. Nick.
Nick Lewis
DECS
HA! I laugh in the face of free time!
http://www.sciencetheatre.org
----- Original Message -----
From: Edward Glowacki <glowack2@key-largo.cl.msu.edu>
To: Linux User's Group <linux-user@egr.msu.edu>
Sent: Wednesday, March 01, 2000 12:42 PM
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server
(fwd)
> I'm not sure if this bug applies to FreeBSD+MySQL or if it applies
to all
> platforms and MySQL, so I thought I'd pass it on in case anyone on
the
> list uses MySQL.
>
> --
> Edward Glowacki glowack2@msu.edu
>
> ---------- Forwarded message ----------
> Date: Mon, 28 Feb 2000 21:26:46 -0800
> From: FreeBSD Security Officer <security-officer@freebsd.org>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
======================================================================
=======
> FreeBSD-SA-00:05 Security
Advisory
>
FreeBSD, Inc.
>
> Topic: MySQL allows bypassing of password authentication
>
> Category: ports
> Module: mysql322-server
> Announced: 2000-02-28
> Affects: Ports collection before the correction date.
> Corrected: 2000-02-15
> FreeBSD only: NO
>
> I. Background
>
> MySQL is a popular SQL database client/server distributed as part of
the
> FreeBSD ports collection.
>
> II. Problem Description
>
> The MySQL database server (versions prior to 3.22.32) has a flaw in
the
> password authentication mechanism which allows anyone who can
connect to
> the server to access databases without requiring a password, given a
valid
> username on the database - in other words, the normal password
> authentication mechanism can be completely bypassed.
>
> MySQL is not installed by default, nor is it "part of FreeBSD" as
such: it
> is part of the FreeBSD ports collection, which contains over 3100
> third-party applications in a ready-to-install format.
>
> FreeBSD makes no claim about the security of these third-party
> applications, although an effort is underway to provide a security
audit
> of the most security-critical ports.
>
> III. Impact
>
> The successful attacker will have all of the access rights of that
> database user and may be able to read, add or modify records.
>
> If you have not chosen to install the mysql322-server port/package,
then
> your system is not vulnerable.
>
> IV. Workaround
>
> Use appropriate access-control lists to limit which hosts can
initiate
> connections to MySQL databases - see:
>
> http://www.mysql.com/Manual_chapter/manual_Privilege_system.html
>
> for more information. If unrestricted remote access to the database
is not
> required, consider using ipfw(8) or ipf(8), or your network
perimeter
> firewall, to prevent remote access to the database from untrusted
machines
> (MySQL uses TCP port 3306 for network communication). Note that
users who
> have access to machines which are allowed to initiate database
connections
> (e.g. local users) can still exploit the security hole.
>
> V. Solution
>
> One of the following:
>
> 1) Upgrade your entire ports collection and rebuild the
mysql322-server
> port.
>
> 2) Reinstall a new package obtained from:
>
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databas
es/mysql-server-3.22.32.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databa
ses/mysql-server-3.22.32.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/datab
ases/mysql-server-3.22.32.tgz
>
> 3) download a new port skeleton for the mysql322-server port from:
>
> http://www.freebsd.org/ports/
>
> and use it to rebuild the port.
>
> 4) Use the portcheckout utility to automate option (3) above. The
> portcheckout port is available in /usr/ports/devel/portcheckout or
the
> package can be obtained from:
>
>
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.
0.tgz
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D
> u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3
> SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng
> vzxtva695bI=
> =KYqf
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>