Package: mysql-server-5.0 Version: 5.0.32-7etch8 Severity: grave Tags: security Justification: user security hole
Hi, The question asking for the administrative password has a priority of `medium'. Debconf's default is to ask only questions of at least priority `high' since 1.4.61 (and d-i apparently sets this value by default even longer). This results in an empty root password by default. Every user which can connect from `localhost' has then full administrative privileges. The only thing he has to do is run `mysql -u root'. The question for the password should at least have priority `high' (or even `critical'[1]). Regards, Ansgar [1] Debconf's own configuration suggests this priority to newbies. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
