From owner-freebsd-questions Tue Feb 29 6:36:22 2000 Delivered-To: freebsd-questions@freebsd.org Received: from redbox.venux.net (redbox.venux.net [216.47.238.10]) by hub.freebsd.org (Postfix) with ESMTP id 473EB37BB6C for ; Tue, 29 Feb 2000 06:35:57 -0800 (PST) (envelope-from mitch@venux.net) Received: from inky (inky.venux.net [216.47.238.64]) by redbox.venux.net (Postfix) with SMTP id 5B8902E20B for ; Tue, 29 Feb 2000 09:25:07 -0500 (EST) Message-ID: <006701bf82c2$b6436680$40ee2fd8@venux.net> From: "Mitch Vincent" To: Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server Date: Tue, 29 Feb 2000 09:38:57 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm guessing everyone has seen this, however I'm concerned. If this is a MySQL bug, there is nothing on MySQL's site about it. The email references the "322-server", there have been 32 more releases (patch levels but still, releases) since 3.22 (if there even was a 3.22 to start with).. Is this a bug that only effects the MySQL server installed from the ports? If so, I'm not sure I understand how that can be if it's a bug in MySQL itself. I've very concerned as we run several MySQL servers that could be effected by this. Thanks! - Mitch ----- Original Message ----- From: FreeBSD Security Officer ; FreeBSD Security Officer To: Sent: Tuesday, February 29, 2000 12:26 AM Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-00:05 Security Advisory > FreeBSD, Inc. > > Topic: MySQL allows bypassing of password authentication > > Category: ports > Module: mysql322-server > Announced: 2000-02-28 > Affects: Ports collection before the correction date. > Corrected: 2000-02-15 > FreeBSD only: NO > > I. Background > > MySQL is a popular SQL database client/server distributed as part of the > FreeBSD ports collection. > > II. Problem Description > > The MySQL database server (versions prior to 3.22.32) has a flaw in the > password authentication mechanism which allows anyone who can connect to > the server to access databases without requiring a password, given a valid > username on the database - in other words, the normal password > authentication mechanism can be completely bypassed. > > MySQL is not installed by default, nor is it "part of FreeBSD" as such: it > is part of the FreeBSD ports collection, which contains over 3100 > third-party applications in a ready-to-install format. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security audit > of the most security-critical ports. > > III. Impact > > The successful attacker will have all of the access rights of that > database user and may be able to read, add or modify records. > > If you have not chosen to install the mysql322-server port/package, then > your system is not vulnerable. > > IV. Workaround > > Use appropriate access-control lists to limit which hosts can initiate > connections to MySQL databases - see: > > http://www.mysql.com/Manual_chapter/manual_Privilege_system.html > > for more information. If unrestricted remote access to the database is not > required, consider using ipfw(8) or ipf(8), or your network perimeter > firewall, to prevent remote access to the database from untrusted machines > (MySQL uses TCP port 3306 for network communication). Note that users who > have access to machines which are allowed to initiate database connections > (e.g. local users) can still exploit the security hole. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the mysql322-server > port. > > 2) Reinstall a new package obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mys ql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/my sql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/m ysql-server-3.22.32.tgz > > 3) download a new port skeleton for the mysql322-server port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D > u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3 > SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng > vzxtva695bI= > =KYqf > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message