[cumbria_lug] Re[3]: [Cumbria] Mandrake 9.1
Ian Linwood
cumbria at mailman.lug.org.uk
Fri May 2 19:56:01 2003
Hello Luke,
Saturday, April 12, 2003, 10:11:20 PM, you wrote:
> Why is it hard or impossible to make MySQL secure? I'd be very interested
> to know what makes it so insecure.
Rekindling old flame (ok, ok, i'm bored)
A double-free vulnerability in mysqld, for MySQL before version 3.23.55,
allows attackers with MySQL access to cause a denial of service (crash) by
creating a carefully crafted client application. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the
name
CAN-2003-0073 to this issue.
MySQL 3.23.55 and earlier creates world-writable files and allows mysql
users to gain root privileges by using the "SELECT * INFO OUTFILE" operator
to overwrite a configuration file and cause mysql to run as root upon
restart. The Common Vulnerabilities and Exposures project (cve.mitre.org/)
has assigned the name CAN-2003-0150 to this issue.
--
Best regards,
Ian mailto:ian@darksideofthemoon.org.uk