Christian Hammers wrote:
> MySQL today announced a new upstream version for mysql-server-4.1 that
> fixes a security problem:
>
> Security fix: If a user has access to MyISAM table t, that user can
> create a MERGE table m that accesses t. However, if the user's
> privileges on t are subsequently revoked, the user can continue to
> access t by doing so through m. If this behavior is undesirable, you
> can start the server with the new --skip-merge option to disable the
> MERGE storage engine.
> http://bugs.mysql.com/bug.php?id=15195
>
> The bug affects
> 3.23 woody
> 4.0 sarge
> 4.1 sarge
> 5.0 unstable
> although in 3.23 and 4.0 it's even more unlikely as merge tables
> couldn't even span databases i.e. table based rights would have to be
> revoked.
>
> Does this justify a DSA? If so, can you register a CVE id?
Sorry for the late reply. My intuition tells me that the transferred
privileges should be revoked, does the documentation indicate the same?
However, if the fix only consists of an option to disable MERGE completely
I don't think this solves the problem properly. If that's the case it
should rather be documented as being problematic, so that it can be
used appropriately.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
