tags 490777 -etch thanks On Mon, Jul 14, 2008 at 03:20:33PM +0200, martin f krafft wrote: > This is not true. If you install the etch version, it binds to > 127.0.0.1, or to any if lo is not available.
Ah - I see that you're correct. That's apparently a regression vs. sarge that I wasn't aware of. > Even if there is no exploitable security hole at the moment, it's > a hole nevertheless. I don't trust mysqld at all, so if I hadn't > inspected this system closely before taking it live, I would have > been hit by something unexpected. "I don't trust mysqld" is not a proven security hole. <shrug> > I won't play ping pong, but I believe the critical severity was > justified. I hope this will get fixed for etch in a security update, > and I certainly hope lenny won't ship mysqld with that hole. Well, at present you've filed the bug on etch only. (In addition to the stray suite tag, it's also marked as only being found in a package version which is not an ancestor of the lenny package; you might want to fix that up with a 'found' command referencing an appropriate lenny version which also shows this bug. > > I'm not sure why you've tagged this bug 'etch' - do you believe the bug to > > be resolved in later versions of the package? > No idea. I thought since I found it on etch, I'd tag it etch. Does > 'etch' suggest 'etch-only' ?? Yes. You should not use suite tags in the general case. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
