Because many of the folks here use MySQL, I thought this was appropriate to cross-post here. This affects mysql server v3.22 on any platform, not just FreeBSD. Jay West ----- Original Message ----- From: FreeBSD Security Officer <[EMAIL PROTECTED]>; FreeBSD Security Officer <[EMAIL PROTECTED]> To: <undisclosed-recipients: ;> Sent: Monday, February 28, 2000 11:26 PM Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-00:05 Security Advisory > FreeBSD, Inc. > > Topic: MySQL allows bypassing of password authentication > > Category: ports > Module: mysql322-server > Announced: 2000-02-28 > Affects: Ports collection before the correction date. > Corrected: 2000-02-15 > FreeBSD only: NO > > I. Background > > MySQL is a popular SQL database client/server distributed as part of the > FreeBSD ports collection. > > II. Problem Description > > The MySQL database server (versions prior to 3.22.32) has a flaw in the > password authentication mechanism which allows anyone who can connect to > the server to access databases without requiring a password, given a valid > username on the database - in other words, the normal password > authentication mechanism can be completely bypassed. > > MySQL is not installed by default, nor is it "part of FreeBSD" as such: it > is part of the FreeBSD ports collection, which contains over 3100 > third-party applications in a ready-to-install format. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security audit > of the most security-critical ports. > > III. Impact > > The successful attacker will have all of the access rights of that > database user and may be able to read, add or modify records. > > If you have not chosen to install the mysql322-server port/package, then > your system is not vulnerable. > > IV. Workaround > > Use appropriate access-control lists to limit which hosts can initiate > connections to MySQL databases - see: > > http://www.mysql.com/Manual_chapter/manual_Privilege_system.html > > for more information. If unrestricted remote access to the database is not > required, consider using ipfw(8) or ipf(8), or your network perimeter > firewall, to prevent remote access to the database from untrusted machines > (MySQL uses TCP port 3306 for network communication). Note that users who > have access to machines which are allowed to initiate database connections > (e.g. local users) can still exploit the security hole. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the mysql322-server > port. > > 2) Reinstall a new package obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mys ql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/my sql-server-3.22.32.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/m ysql-server-3.22.32.tgz > > 3) download a new port skeleton for the mysql322-server port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D > u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3 > SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng > vzxtva695bI= > =KYqf > -----END PGP SIGNATURE----- > > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-announce" in the body of the message > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
