Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 06/12/2012 10:25 AM, Aron Xu wrote: I'm not expecting to hide anything, but it's harmful to announce the world by a discussion in debian-devel that we are affected with no solution provided, at the time related people (means the maintainers and Security Team, not including the user - like you) haven't said a word about it. If Debian was affected (which it seems it is not), you wouldn't be able to keep that secret for more than few minutes. You can be 100% sure that a bunch of hackers would already be playing with your MySQL server. And this, even before you hear about this. If such a disaster happens, then it's better to know asap, so critical servers can be patched asap too (even before Debian releases or announces anything). The harm would be to believe not posting in debian-devel is changing anything. I agree I should have posted in debian-security@l.d.o though. Thomas p.s: Anyway, it seems we're safe this time, even in SID! :) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fd6e6ba.8060...@debian.org
Re: Is Debian affected by the recent MySQL sql/password.c flow?
So because it turned out that the information indeed was public, you find it ok to ask in public if it is public. he posted a link on the 1st email... how is a link non public? -- Salvo Tomaselli -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201206121233.35003.tipos...@tiscali.it
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 12-06-12 at 12:33pm, Salvo Tomaselli wrote: So because it turned out that the information indeed was public, you find it ok to ask in public if it is public. he posted a link on the 1st email... how is a link non public? The link was public. The discussion here about potential issues in Debian was not. - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Re: Is Debian affected by the recent MySQL sql/password.c flow?
Hi, On Mon, Jun 11, 2012 at 10:53:50PM +0200, Peter Pöschl wrote: Seems you overlooked this: Debian Unstable 64-bit 5.5.23-2 I just tried on my 32bit machine, and didn't get in in some 50.000 attempts. Also, the squeeze versions are listed under unaffected, which is what reduces the stress level. Kind regards, --Toni++ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120612214337.ga26...@spruce.wiehl.oeko.net
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Tue, Jun 12, 2012 at 1:44 AM, Thomas Goirand tho...@goirand.fr wrote: Hi, Since it has been made public, I believe it's ok to discuss it in -devel. I came across this: http://seclists.org/oss-sec/2012/q2/493 Is the Squeeze version affected? And SID? By reading it, especially the end about GCC, it's unclear to me if we need an urgent patch: To my knowledge gcc builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc sse-optimized memcmp is not safe, but gcc usually uses the inlined builtin version. In which case are we? IMHO I suggest to talk with Security Team before disclosing information that might be sensitive in the mean time on a Debian development mailing list. -- Regards, Aron Xu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAMr=8w4mob-swjzygcwbw-qlbhhjf+umos+38uq839bmra2...@mail.gmail.com
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Tue, 2012-06-12 at 01:44 +0800, Thomas Goirand wrote: Hi, Since it has been made public, I believe it's ok to discuss it in -devel. I came across this: http://seclists.org/oss-sec/2012/q2/493 Is the Squeeze version affected? And SID? By reading it, especially the end about GCC, it's unclear to me if we need an urgent patch: According to this: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql Debian is not affected. Kind regards, -- Lech Karol Pawłaszek lech.pawlas...@blstream.com +48 600 060 758 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1339437600.2658.3.camel@macbook
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 06/12/2012 01:52 AM, Aron Xu wrote: IMHO I suggest to talk with Security Team before disclosing information that might be sensitive in the mean time on a Debian development mailing list. Could you explain to me what exactly I'm disclosing? The news is already on slashdot and so on, and I think it'd be better to know, as hackers will. I made 10 000 connection attempts with a random pass to one of my Squeeze server, and couldn't get in, so unless I'm really unlucky (there's one chance out of 256), then Debian is not vulnerable. I just wanted to be sure of it. Cheers, Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fd634d8.7050...@debian.org
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 06/12/2012 02:00 AM, Lech Karol Pawłaszek wrote: According to this: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql Debian is not affected. Kind regards, Cool, thanks! Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fd634ff.2000...@debian.org
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Tue, Jun 12, 2012 at 2:11 AM, Thomas Goirand z...@debian.org wrote: On 06/12/2012 01:52 AM, Aron Xu wrote: IMHO I suggest to talk with Security Team before disclosing information that might be sensitive in the mean time on a Debian development mailing list. Could you explain to me what exactly I'm disclosing? The news is already on slashdot and so on, and I think it'd be better to know, as hackers will. I'm not saying you are disclosing anything, but you are asking if someone knows it's in what status publicly in a Debian development mailing list. Then this may lead to some disclosing and even mislead some other people. Yes there are many people doing tests just like you, and they are reporting their results in many ways they prefer. But as you are a DD you'd better not ignore our Security Team when starting discussion publicly about a security incident your are not sure whether it's relevant to Debian. People at Security Team are not only responsible for fixing things when it breaks out, but also make sure sensitive information is being disclosed in a correct form at a correct time. In the end, I believe talking with them beforehand is always a right way to do, no matter if Debian is affected by this particular issue. -- Regards, Aron Xu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAMr=8w6smb3shwjwmeo_-vuruvzrviigonbsxf3pgnxpkoq...@mail.gmail.com
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 12-06-12 at 02:11am, Thomas Goirand wrote: On 06/12/2012 01:52 AM, Aron Xu wrote: IMHO I suggest to talk with Security Team before disclosing information that might be sensitive in the mean time on a Debian development mailing list. Could you explain to me what exactly I'm disclosing? s/disclosing/promoting/ - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On mar., 2012-06-12 at 02:23 +0800, Aron Xu wrote: On Tue, Jun 12, 2012 at 2:11 AM, Thomas Goirand z...@debian.org wrote: On 06/12/2012 01:52 AM, Aron Xu wrote: IMHO I suggest to talk with Security Team before disclosing information that might be sensitive in the mean time on a Debian development mailing list. Could you explain to me what exactly I'm disclosing? The news is already on slashdot and so on, and I think it'd be better to know, as hackers will. I'm not saying you are disclosing anything, but you are asking if someone knows it's in what status publicly in a Debian development mailing list. Then this may lead to some disclosing and even mislead some other people. Yes there are many people doing tests just like you, and they are reporting their results in many ways they prefer. But as you are a DD you'd better not ignore our Security Team when starting discussion publicly about a security incident your are not sure whether it's relevant to Debian. People at Security Team are not only responsible for fixing things when it breaks out, but also make sure sensitive information is being disclosed in a correct form at a correct time. In the end, I believe talking with them beforehand is always a right way to do, no matter if Debian is affected by this particular issue. To be honest, I think -devel is a bad place for this just because it's more or less full of useless, hundred mails long threads, so for example I barely can follow it (and consider removing my subscription). So it'd be better on some less noisy, security related, debian list like debian-secur...@lists.debian.org. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Tue, Jun 12, 2012 at 02:23:47AM +0800, Aron Xu wrote: sure whether it's relevant to Debian. People at Security Team are not only responsible for fixing things when it breaks out, but also make sure sensitive information is being disclosed in a correct form at a correct time. In the end, I believe talking with them beforehand is always a right way to do, no matter if Debian is affected by this particular issue. Coordinated disclosure is irresponsible, and we shouldn't do it. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120611183902.ga3...@scru.org
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 06/12/2012 02:23 AM, Aron Xu wrote: I'm not saying you are disclosing anything, but you are asking if someone knows it's in what status publicly in a Debian development mailing list. Then this may lead to some disclosing and even mislead some other people. Yes there are many people doing tests just like you, and they are reporting their results in many ways they prefer. But as you are a DD you'd better not ignore our Security Team when starting discussion publicly about a security incident your are not sure whether it's relevant to Debian. People at Security Team are not only responsible for fixing things when it breaks out, but also make sure sensitive information is being disclosed in a correct form at a correct time. In the end, I believe talking with them beforehand is always a right way to do, no matter if Debian is affected by this particular issue. The first time I wrote it, it wasn't clear enough. Maybe writing with CAPS-ON will help your understanding! :) IT HAS ALREADY BEEN MADE PUBLIC (for example: on slashdot) !!! Do you get it now? :) With such security glitch, how much do you expect from keeping such a discussion secret, with the security team? I'm telling you, you'd achieve absolutely nothing. Everyone will know so fast that it doesn't mater at all. And it's better that everyone in Debian knows about what's going on, so we have at least a little be of opportunity to fix what can be before disasters. Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fd63b81.2080...@debian.org
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Mon, June 11, 2012 20:11, Thomas Goirand wrote: On 06/12/2012 01:52 AM, Aron Xu wrote: IMHO I suggest to talk with Security Team before disclosing information that might be sensitive in the mean time on a Debian development mailing list. Could you explain to me what exactly I'm disclosing? The news is already on slashdot and so on, and I think it'd be better to know, as hackers will. As usual, the appropriate discussion venue for specific public security issues is a bug against the package tagged security, in this case 677018. Vulnerability information for the various current distributions can also be found in the Security Tracker. I don't think there is a need to move these fora to debian-devel. Thanks. Thijs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a53561f605ea17ad9be101d9a2e9c8f2.squir...@wm.kinkhorst.nl
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 12-06-12 at 02:40am, Thomas Goirand wrote: On 06/12/2012 02:23 AM, Aron Xu wrote: I'm not saying you are disclosing anything, but you are asking if someone knows it's in what status publicly in a Debian development mailing list. Then this may lead to some disclosing and even mislead some other people. Yes there are many people doing tests just like you, and they are reporting their results in many ways they prefer. But as you are a DD you'd better not ignore our Security Team when starting discussion publicly about a security incident your are not sure whether it's relevant to Debian. People at Security Team are not only responsible for fixing things when it breaks out, but also make sure sensitive information is being disclosed in a correct form at a correct time. In the end, I believe talking with them beforehand is always a right way to do, no matter if Debian is affected by this particular issue. The first time I wrote it, it wasn't clear enough. Maybe writing with CAPS-ON will help your understanding! :) IT HAS ALREADY BEEN MADE PUBLIC (for example: on slashdot) !!! What you asked, and the answer to that question, was not already public. ...or you wouldn't have asked, I hope. ;-) - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 06/12/2012 03:17 AM, Jonas Smedegaard wrote: What you asked, and the answer to that question, was not already public. ...or you wouldn't have asked, I hope. ;-) - Jonas Actually, it was, and I was expecting to be able to find it, but didn't, which is why I asked! :) Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fd64649.9070...@debian.org
Re: Re: Is Debian affected by the recent MySQL sql/password.c flow?
Seems you overlooked this: Debian Unstable 64-bit 5.5.23-2 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201206112253.50532.pp2ml.deb0...@nest-ai.de
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On 12-06-12 at 03:26am, Thomas Goirand wrote: On 06/12/2012 03:17 AM, Jonas Smedegaard wrote: What you asked, and the answer to that question, was not already public. ...or you wouldn't have asked, I hope. ;-) - Jonas Actually, it was, and I was expecting to be able to find it, but didn't, which is why I asked! :) So because it turned out that the information indeed was public, you find it ok to ask in public if it is public. Wauw. I give up. - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Tue, Jun 12, 2012 at 2:40 AM, Thomas Goirand z...@debian.org wrote: On 06/12/2012 02:23 AM, Aron Xu wrote: I'm not saying you are disclosing anything, but you are asking if someone knows it's in what status publicly in a Debian development mailing list. Then this may lead to some disclosing and even mislead some other people. Yes there are many people doing tests just like you, and they are reporting their results in many ways they prefer. But as you are a DD you'd better not ignore our Security Team when starting discussion publicly about a security incident your are not sure whether it's relevant to Debian. People at Security Team are not only responsible for fixing things when it breaks out, but also make sure sensitive information is being disclosed in a correct form at a correct time. In the end, I believe talking with them beforehand is always a right way to do, no matter if Debian is affected by this particular issue. The first time I wrote it, it wasn't clear enough. Maybe writing with CAPS-ON will help your understanding! :) IT HAS ALREADY BEEN MADE PUBLIC (for example: on slashdot) !!! Do you get it now? :) It's YOU that didn't get my point, :) With such security glitch, how much do you expect from keeping such a discussion secret, with the security team? I'm telling you, you'd achieve absolutely nothing. Everyone will know so fast that it doesn't mater at all. And it's better that everyone in Debian knows about what's going on, so we have at least a little be of opportunity to fix what can be before disasters. I'm not expecting to hide anything, but it's harmful to announce the world by a discussion in debian-devel that we are affected with no solution provided, at the time related people (means the maintainers and Security Team, not including the user - like you) haven't said a word about it. If you are trying to informing people to act, then debian-devel is not a good place, because you can't expect all Debian users are following our mailing lists, it's YOU want to be sure for something, then confirm with mysql's maintainer and/or Security Team will give you a certain answer. debian-devel is not a place for collecting random trying discoveries for security related issues anyway. -- Regards, Aron Xu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAMr=8w7wdcxsinarakgyjmcunbsdachultnyroj4_0b1k4z...@mail.gmail.com
Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Tue, Jun 12, 2012 at 2:39 AM, Clint Adams cl...@debian.org wrote: On Tue, Jun 12, 2012 at 02:23:47AM +0800, Aron Xu wrote: sure whether it's relevant to Debian. People at Security Team are not only responsible for fixing things when it breaks out, but also make sure sensitive information is being disclosed in a correct form at a correct time. In the end, I believe talking with them beforehand is always a right way to do, no matter if Debian is affected by this particular issue. Coordinated disclosure is irresponsible, and we shouldn't do it. Then it's better to start the discussion at debian-security@l.d.o or at least start a new thread, :) Currently our Security Team is tend to coordinate disclosures, I think (but I'm not a team member, of course). -- Regards, Aron Xu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAMr=8w5royoyascd1wppvjma3mwk10jquopn5dkxggse2y0...@mail.gmail.com
Re: Is Debian affected by the recent MySQL sql/password.c flow?
Quoting Thomas Goirand (z...@debian.org): The first time I wrote it, it wasn't clear enough. Maybe writing with CAPS-ON will help your understanding! :) IT HAS ALREADY BEEN MADE PUBLIC (for example: on slashdot) !!! The debian-security mailing list is a public list. My stance about security issues (and, by looking at samba's changelog, you can see that I dealt with many, now...): - when public, discuss them with the security team through the debian-security mailing list - when not yet public, discuss them with t...@security.debian.org In both cases, our security team is very helpful and reactive. signature.asc Description: Digital signature