mysql-server local DOS vulnerability
Hi, I found a local DOS vulnerability in the mysql-server package. Since I am not experienced in the field of computer security I have not contacted upstream nor any other security list about the issue and would be happy to get some feedback about the perceived severity of the problem and appropriate action to be taken. mysql has the configuration option max_connect_errors set to 10 in the default install. This means that after ten connection errors (handshake failed) the origin of these connection attempts is blocked from connecting again. This lets any local user that is deliberately creating 10 connect errors block anyone from localhost to connect to the db. The block is not automatically released but requires user interaction from the db admin (mysqladmin flush-hosts). Quick-Fix: Add the following line to the [mysqld] section of my.cnf set-variable= max_connect_errors=9 [see also: http://www.mysql.com/doc/F/L/FLUSH.html] I found this on my woody installation (though maybe not the very latest version) and I guess it is an issue for potato, too, since it can also be found in upstream. I cc'ed the maintainer of mysql-server, Christian Hammers. best regards, Thiemo Nagel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
mysql-server local DOS vulnerability
Hi, I found a local DOS vulnerability in the mysql-server package. Since I am not experienced in the field of computer security I have not contacted upstream nor any other security list about the issue and would be happy to get some feedback about the perceived severity of the problem and appropriate action to be taken. mysql has the configuration option max_connect_errors set to 10 in the default install. This means that after ten connection errors (handshake failed) the origin of these connection attempts is blocked from connecting again. This lets any local user that is deliberately creating 10 connect errors block anyone from localhost to connect to the db. The block is not automatically released but requires user interaction from the db admin (mysqladmin flush-hosts). Quick-Fix: Add the following line to the [mysqld] section of my.cnf set-variable= max_connect_errors=9 [see also: http://www.mysql.com/doc/F/L/FLUSH.html] I found this on my woody installation (though maybe not the very latest version) and I guess it is an issue for potato, too, since it can also be found in upstream. I cc'ed the maintainer of mysql-server, Christian Hammers. best regards, Thiemo Nagel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]