I disagree with you markus, and here is why..
1....gustavo probably isn't the only person who has noticed this, so it's
fair to say it's already made the round amongst those who arent so nice.
2....this _is_ the mysql list.
3....this way, people can plan for such a problem and button things up
until a fix is forthcoming.
4....whether he went to the manufacturer or not, I personally am happy
that he posted it, it made me batte ndown a hatch or two.
Chris
--
Marketing Manager, OSDN Events | http://www.osdn.com
Grant Chair, Linux International. | http://www.li.org
Co-editor, Open Sources | http://www.dibona.com
On Sun, 29 Apr 2001, Markus Gieppner wrote:
> Bom dia, Gustavo,
>
> I am not in a position to comment nor to verify your warning. However, I am
> pretty annoyed by the way you make it public to the world. Unless I missed
> something here, but when someone discovers a security hole in any program,
> it's common standard to contact the manufacturer immediately, directly and
> offlist and give him a chance to comment and/or release a patch within a
> reasonable timeframe. If then, after a couple of weeks, you didn't get any
> response from the manfacturer, you should go public. I don't know if you did
> that, if you did I apologize and ask to ignore this message.
>
> Just imagine what doors you might open to hackers and vandals who always
> monitor these lists. (Where else could they get inspiration and necessary
> info for their sick minds???)! A major security bug could threaten thousands
> of sites all over the world. Responsible and fair handling is a must.
>
> Obrigado.
>
> Markus Gieppner
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 29, 2001 11:13 AM
> To: [EMAIL PROTECTED]
> Subject: Ordinary users can crash mysql server
>
>
> >Description:
> When a ordinary users tries to analyze bin log using a remote host (-h
> ip_address) mysql server daemons crahes.
> >How-To-Repeat:
> Just use mysqlbinlog to analyze a remote host binlog.
> mysql -h ip_address -u user -p pass file
>
> For instance (My environment):
> shell> mysql -h 192.168.1.11 -u awp -p root etosha-bin.001
>
> >Fix:
> I lack the required level of expertise to fix it, sorry!
>
> >Submitter-Id: <submitter ID>
> >Originator: Gustavo Rios
> >Organization: Ifour Sistemas
>
> >MySQL support: [none]
> >Synopsis:
> >Severity: [ critical ]
> >Priority: [ high ]
> >Category: mysql
> >Class:
> >Release: mysql-3.23.37 (Source distribution)
> >Server: /usr/local/bin/mysqladmin Ver 8.19 Distrib 3.23.37, for
> unknown-freebsdelf4.3 on i386
> Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
> This software comes with ABSOLUTELY NO WARRANTY. This is free software,
> and you are welcome to modify and redistribute it under the GPL license
>
> Server version 3.23.37-log
> Protocol version 10
> Connection Localhost via UNIX socket
> UNIX socket /tmp/mysql.sock
> Uptime: 1 hour 49 min 17 sec
>
> Threads: 1 Questions: 10 Slow queries: 0 Opens: 10 Flush tables: 1 Open
> tables: 4 Queries per second avg: 0.002
> >Environment:
>
> System: FreeBSD etosha.ifour.com.br 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri
> Apr 27 13:46:06 GMT 2001
> [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETOSHA i386
>
>
> Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc
> /usr/bin/cc
> GCC: Using builtin specs.
> gcc version 2.95.3 [FreeBSD] 20010315 (release)
> Compilation info: CC='gcc' CFLAGS='' CXX='gcc'
> CXXFLAGS='-felide-constructors -fno-exceptions -fno-rtti' LDFLAGS=''
> LIBC:
> -r--r--r-- 1 root wheel 1174494 Apr 27 13:26 /usr/lib/libc.a
> lrwxr-xr-x 1 root wheel 9 Apr 27 13:26 /usr/lib/libc.so -> libc.so.4
> -r--r--r-- 1 root wheel 561548 Apr 27 13:26 /usr/lib/libc.so.4
> Configure command:
> ./configure --without-perl --without-debug --with-mit-threads=no --with-lib
> wrap --with-charset=latin1 --with-extra-charsets=none --enable-assembler --w
> ith-berkeley-db --with-innodb --localstatedir=/var/db/mysql
> Perl: This is perl, version 5.005_03 built for i386-freebsd
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
