On 2006-08-08 Moritz Muehlenhoff wrote: > Christian Hammers wrote: > > MySQL today announced a new upstream version for mysql-server-4.1 that > > fixes a security problem: > > > > Security fix: If a user has access to MyISAM table t, that user can > > create a MERGE table m that accesses t. However, if the user's > > privileges on t are subsequently revoked, the user can continue to > > access t by doing so through m. If this behavior is undesirable, you > > can start the server with the new --skip-merge option to disable the > > MERGE storage engine. > > http://bugs.mysql.com/bug.php?id=15195 > > > > The bug affects > > 3.23 woody > > 4.0 sarge > > 4.1 sarge > > 5.0 unstable > > although in 3.23 and 4.0 it's even more unlikely as merge tables > > couldn't even span databases i.e. table based rights would have to be > > revoked. > > > > Does this justify a DSA? If so, can you register a CVE id? > > Sorry for the late reply. My intuition tells me that the transferred > privileges should be revoked, does the documentation indicate the same? > However, if the fix only consists of an option to disable MERGE completely > I don't think this solves the problem properly. If that's the case it > should rather be documented as being problematic, so that it can be > used appropriately. > > Cheers, > Moritz
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
