[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

This bug was fixed in the package mysql-8.0 - 8.0.22-0ubuntu0.20.04.3 --- mysql-8.0 (8.0.22-0ubuntu0.20.04.3) focal-security; urgency=medium * SECURITY UPDATE: restrict open mysqlx port (LP: #1857584) - debian/additions/mysql.conf.d/mysqld.cnf: bind mysqlx port to

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

** Changed in: mysql-8.0 (Ubuntu Focal) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: MySQL X protocol port 33060 listening on network by

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

** Tags removed: server-next server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: MySQL X protocol port 33060 listening on network by default To manage notifications

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

I don't think having the port open by default is acceptable. It was clearly an oversight when the new MySQL version was prepared, and I suspect a lot of users are now running an open port without knowing about it. While publishing out an update that closes the port may break certain

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: MySQL X protocol port 33060 listening on network by default To manage notifications about this bug

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

I'll sum up my view on this (which I had hoped, would be yours, too): So far, in Ubuntu, mysqld always listened on port 3306 only, and only on the loopback interface by default. 20.04 introduced a mysql server version which introduces the MySQL X protocol. The expectation a mysql server

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

To reiterate Robie's point, for 20.04 this would be a behavioral change, and while it is almost surely appropriate to do, in order to get it accepted by the SRU process there needs to be a strong justification of what the trouble is if it is left as-is. >From the description it sounds like the

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

mysql-8.0 is available only in focal, groovy, and hirsute. Checking each release's mysqld.cnf for the fix: * focal: Missing * groovy: Has it * hirsute: Has it ** Also affects: mysql-8.0 (Ubuntu Hirsute) Importance: Undecided Status: Confirmed ** Also affects: mysql-8.0

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

Note that if you care, the workaround is to close the port in a configuration file is trivial. What remains is the trade-off in regressing users in stable releases versus a more sensible default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

It is addressed properly. This was fixed in https://salsa.debian.org /mariadb-team/mysql/-/commit/94e3a663b235d7720f7e98d9f34af27aace166ef What Ubuntu releases (if any yet) include this change needs checking. If this needs fixing in a stable Ubuntu release, then this needs separate justification

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: MySQL X protocol port 33060 listening on network by default To manage notifications about this bug go to:

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

This is a security issue, why don't you address it properly? In addition, the fix is just simple. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: MySQL X protocol port 33060 listening

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

bind-address and mysqlx-bind-address both default to *, but the config file (/etc/mysql/mysql.conf.d/mysqld.cnf) sets bind-address to 127.0.0.1, so I think we just need to do the same for mysqlx-bind- address, as mentioned above. -- You received this bug notification because you are a member of

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: MySQL X protocol port 33060 listening on network by default To manage

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

A workaround is to add the following to one of the mysql config files, e.g., /etc/mysql/mysql.cnf: [mysqld] mysqlx_bind_address = 127.0.0.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584

[Bug 1857584] Re: MySQL X protocol port 33060 listening on network by default

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: mysql-8.0 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: