From owner-freebsd-security Wed Mar 19 6:20: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5910037B401 for ; Wed, 19 Mar 2003 06:20:06 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id C770943FBD for ; Wed, 19 Mar 2003 06:20:02 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 16528 invoked from network); 19 Mar 2003 14:15:26 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 19 Mar 2003 14:15:26 -0000 Received: (qmail 45873 invoked by uid 1000); 19 Mar 2003 14:18:23 -0000 Date: Wed, 19 Mar 2003 16:18:23 +0200 From: Peter Pentchev To: Alexandr Kovalenko Cc: freebsd-security@freebsd.org Subject: Re: MySQL vulnerability: will go into -RELEASE? Message-ID: <20030319141823.GH27330@straylight.oblivion.bg> Mail-Followup-To: Alexandr Kovalenko , freebsd-security@freebsd.org References: <20030319132332.GA18138@nevermind.kiev.ua> <20030319140855.GG27330@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="R6sEYoIZpp9JErk7" Content-Disposition: inline In-Reply-To: <20030319140855.GG27330@straylight.oblivion.bg> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --R6sEYoIZpp9JErk7 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 19, 2003 at 04:08:55PM +0200, Peter Pentchev wrote: > On Wed, Mar 19, 2003 at 03:23:32PM +0200, Alexandr Kovalenko wrote: > > I wonder if there are plans to update MySQL to version 3.23.56 before > > 4.8 in order to fix security vulnerability described here: > >=20 > > http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D104739810523433&w=3D2 > >=20 > > ? >=20 > I wrote a follow-up to that message which never made it to Bugtraq; > the list moderators somehow failed to act upon it, neither approving > nor rejecting it after a few days. >=20 > Basically, the FreeBSD port of MySQL is safe, as long as people use > the startup script provided by the port. The --user command-line > option overrides any and all config file settings, thus rendering > this particular vulnerability harmless. Of course, other config file > settings may still affect the MySQL server, but the most dangerous > one is moot for users of the FreeBSD port. And just for the record, this is not a recent development in answer to this particular advisory; it has been so since rev. 1.58 of the port's Makefile, sometime in July 1999. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 When you are not looking at it, this sentence is in Spanish. --R6sEYoIZpp9JErk7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+eHwv7Ri2jRYZRVMRAlrdAJkBdI66H8PJzjDu9EL7mKIIsOWvLACglzln XQm3kfX7+9NkGR6fkGSafgc= =tEkx -----END PGP SIGNATURE----- --R6sEYoIZpp9JErk7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message