This isn't a new bug. This was mentioned about a year ago.
Besides, this isn't just a mysqld problem - it's a problem that plagues ANY TCP/IP
based daemon. It's common sys admin sense NOT to run ANY daemon as root unless there
is absolutely, positively NO OTHER WAY to get it to run properly.
Benjamin Pflugmann <[EMAIL PROTECTED]> wrote:
>
> Hi.
>
> All your arguments are irrelevant regarding my post: Sergei stated
> that MySQL 3.23 would not be vulnerable to the posted exploit and I
> proved it is (respecting the rules given in the exploit). I never
> argued about the impact of the exploit.
>
> To be true, I am worried about the answers we get. First, I wonder
> about how Sergei was not able to repeat it, when I had no problem. A
> test case showing that it did not work for him would have been nice
> (sorry, Sergei, no harm intended).
>
> Then you simply "talk away" the harm of this exploit, and ignore what
> was said before. All your arguments may be valid, but have nothing to
> do with the fact that there is an exploitable bug, regardless how many
> impact it has.
>
> In fact, until now, nobody from MySQL even officially acknowledged that
> there is a problem, except implicitly by discussing it (on the
> mysql-list I mean... there was an answer on bugtraq).
>
> I wrote my last mail just because I already confirmed that problem
> with 3.23 after I read bugtraq and therefore knew, that Sergei must
> have tested in a different way than me.
>
--
===========================================================================
"If you put three drops of poison into a 100 percent pure Java, you get - Windows. If
you put a few drops of Java into Windows, you still have Windows."
-- Sun Microsystems CEO, Scott McNealy
__________________________________________________________________
Get your own FREE, personal Netscape Webmail account today at
http://webmail.netscape.com/
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
