Date: Tue, 29 Feb 2000 09:38:57 -0500 From: "Mitch Vincent" <mitch@venux.net> To: <freebsd-questions@freebsd.org> Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server Message-ID: <006701bf82c2$b6436680$40ee2fd8@venux.net>
next in thread | raw e-mail | index | archive | help
I'm guessing everyone has seen this, however I'm concerned. If this is a MySQL bug, there is nothing on MySQL's site about it. The email references the "322-server", there have been 32 more releases (patch levels but still, releases) since 3.22 (if there even was a 3.22 to start with).. Is this a bug that only effects the MySQL server installed from the ports? If so, I'm not sure I understand how that can be if it's a bug in MySQL itself. I've very concerned as we run several MySQL servers that could be effected by this. Thanks! - Mitch ----- Original Message ----- From: FreeBSD Security Officer <security-officer@freebsd.org>; FreeBSD Security Officer <security-officer@freebsd.org> To: <undisclosed-recipients: ;> Sent: Tuesday, February 29, 2000 12:26 AM Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-00:05 Security Advisory > FreeBSD, Inc. > > Topic: MySQL allows bypassing of password authentication > > Category: ports > Module: mysql322-server > Announced: 2000-02-28 > Affects: Ports collection before the correction date. > Corrected: 2000-02-15 > FreeBSD only: NO > > I. Background > > MySQL is a popular SQL database client/server distributed as part of the > FreeBSD ports collection. > > II. Problem Description > > The MySQL database server (versions prior to 3.22.32) has a flaw in the > password authentication mechanism which allows anyone who can connect to > the server to access databases without requiring a password, given a valid > username on the database - in other words, the normal password > authentication mechanism can be completely bypassed. > > MySQL is not installed by default, nor is it "part of FreeBSD" as such: it > is part of the FreeBSD ports collection, which contains over 3100 > third-party applications in a ready-to-install format. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security audit > of the most security-critical ports. > > III. Impact > > The successful attacker will have all of the access rights of that > database user and may be able to read, add or modify records. > > If you have not chosen to install the mysql322-server port/package, then > your system is not vulnerable. > > IV. Workaround > > Use appropriate access-control lists to limit which hosts can initiate > connections to MySQL databases - see: > > http://www.mysql.com/Manual_chapter/manual_Privilege_system.html > > for more information. If unrestricted remote access to the database is not > required, consider using ipfw(8) or ipf(8), or your network perimeter > firewall, to prevent remote access to the database from untrusted machines > (MySQL uses TCP port 3306 for network communication). Note that users who > have access to machines which are allowed to initiate database connections > (e.g. local users) can still exploit the security hole. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the mysql322-server > port. > > 2) Reinstall a new package obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mys ql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/my sql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/m ysql-server-3.22.32.tgz > > 3) download a new port skeleton for the mysql322-server port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D > u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3 > SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng > vzxtva695bI= > =KYqf > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006701bf82c2$b6436680$40ee2fd8>