From owner-freebsd-security Wed Mar 19 6:10:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1A2637B401 for ; Wed, 19 Mar 2003 06:10:38 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id B7B3643F3F for ; Wed, 19 Mar 2003 06:10:36 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 15253 invoked from network); 19 Mar 2003 14:05:59 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 19 Mar 2003 14:05:58 -0000 Received: (qmail 45217 invoked by uid 1000); 19 Mar 2003 14:08:55 -0000 Date: Wed, 19 Mar 2003 16:08:55 +0200 From: Peter Pentchev To: Alexandr Kovalenko Cc: freebsd-security@freebsd.org Subject: Re: MySQL vulnerability: will go into -RELEASE? Message-ID: <20030319140855.GG27330@straylight.oblivion.bg> Mail-Followup-To: Alexandr Kovalenko , freebsd-security@freebsd.org References: <20030319132332.GA18138@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Oiv9uiLrevHtW1RS" Content-Disposition: inline In-Reply-To: <20030319132332.GA18138@nevermind.kiev.ua> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Oiv9uiLrevHtW1RS Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 19, 2003 at 03:23:32PM +0200, Alexandr Kovalenko wrote: > I wonder if there are plans to update MySQL to version 3.23.56 before > 4.8 in order to fix security vulnerability described here: >=20 > http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D104739810523433&w=3D2 >=20 > ? I wrote a follow-up to that message which never made it to Bugtraq; the list moderators somehow failed to act upon it, neither approving nor rejecting it after a few days. Basically, the FreeBSD port of MySQL is safe, as long as people use the startup script provided by the port. The --user command-line option overrides any and all config file settings, thus rendering this particular vulnerability harmless. Of course, other config file settings may still affect the MySQL server, but the most dangerous one is moot for users of the FreeBSD port. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the thought you are now thinking. --Oiv9uiLrevHtW1RS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+eHn37Ri2jRYZRVMRAlgAAJ4nwF05hGdCPQpHz65csrO9yUC3EQCdGaXM bmskDXhGQrnUNTeTxZ/dW1A= =cjWQ -----END PGP SIGNATURE----- --Oiv9uiLrevHtW1RS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message