These points are all well considered, but the point is that I operate
under the assumption that the bad guys out there already have this
information, and that only legit people don't have it becuse they do not
operate in those circles. And yes, if you are operating a service on the
internet, you should be expected to act immediately on such news. There
are too many out there ready to exploit holes in systems to the detriment
of the entire internet.
In essence as a sytem administrator you have to be ready to either a) act
immediately or b) take your chances during the time you don't act. I see
ful ldisclosure as a big heads up and I think it is more valuable than the
downside of letting more bad people know of the problem, as, I noted, I
see the black hats as already having the knowledge.
I know it is an imprefect world, and , legitimately, the way most routers
are set up, monday will be just fine for locking down the bug, bug I'm
glad I know...
But your points are well taken, I am just more pessimistic about the state
of knowledge in the cracker community.
Chris
> Hi Chris,
>
> You should not forget those users who depend greatly on the tech support
> (patches) of the manufacturer. Given your expertise and knowledge you might
> be able to protect yourself, but not everybody is (as a matter of fact even
> Gustavo said he isn't). In addition, to make things worse, today is Sunday,
> and given the usual working hours in most countries, there's a very small
> chance that someone from AB Konsulting has read this. On the other hand,
> quite a number of hobby vandals, who spend their free days looking for
> holes, might have found a nice new toy to play with, and Gustavo even
> provided the "how-to" .
>
> I agree with you on the first point: If this is a known bug, it has to be
> part of the "known-bug-list" and given it's severity, be stated clearly on
> the MySQL web site. Crashed server applications often bear the risk of
> allowing a hacker to execute his own code, thus making such a bug really
> dangerous, especially for web applications.
>
> Your third point is a bit optimistic... Are you really prepared to react
> immediately to all known or unknown security risks? If you have 10.000 users
> using your application on a daily basis, or if you have 100 sites running
> with it, every modification of a core component of your databases requires
> good planning and careful handling. On a production server you usually don't
> have the freedom to experiment a lot with your home-made patches.
>
> Don't get me wrong, I am not at all opposed to disclosure. This is what
> makes programs like MySQL, Linux etc. so powerful and more secure than
> closed-source software. Remember the problems with Interbase, or Hotmail
> (even better!) or the countless problems on Microsoft programs. It's
> indispensable to search for bugs, but again, give the manufacturer at least
> a chance to look into a matter before giving hackers a doorway to crash your
> machine and worse steal or destroy your data.
>
> Markus Gieppner
> MGF International Inc.
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Chris DiBona [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 29, 2001 6:08 PM
> To: Markus Gieppner
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Ordinary users can crash mysql server
>
>
> I disagree with you markus, and here is why..
>
> 1....gustavo probably isn't the only person who has noticed this, so it's
> fair to say it's already made the round amongst those who arent so nice.
>
> 2....this _is_ the mysql list.
>
> 3....this way, people can plan for such a problem and button things up
> until a fix is forthcoming.
>
> 4....whether he went to the manufacturer or not, I personally am happy
> that he posted it, it made me batte ndown a hatch or two.
>
> Chris
>
> --
> Marketing Manager, OSDN Events | http://www.osdn.com
> Grant Chair, Linux International. | http://www.li.org
> Co-editor, Open Sources | http://www.dibona.com
>
> On Sun, 29 Apr 2001, Markus Gieppner wrote:
>
> > Bom dia, Gustavo,
> >
> > I am not in a position to comment nor to verify your warning. However, I
> am
> > pretty annoyed by the way you make it public to the world. Unless I missed
> > something here, but when someone discovers a security hole in any program,
> > it's common standard to contact the manufacturer immediately, directly and
> > offlist and give him a chance to comment and/or release a patch within a
> > reasonable timeframe. If then, after a couple of weeks, you didn't get any
> > response from the manfacturer, you should go public. I don't know if you
> did
> > that, if you did I apologize and ask to ignore this message.
> >
> > Just imagine what doors you might open to hackers and vandals who always
> > monitor these lists. (Where else could they get inspiration and necessary
> > info for their sick minds???)! A major security bug could threaten
> thousands
> > of sites all over the world. Responsible and fair handling is a must.
> >
> > Obrigado.
> >
> > Markus Gieppner
> >
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, April 29, 2001 11:13 AM
> > To: [EMAIL PROTECTED]
> > Subject: Ordinary users can crash mysql server
> >
> >
> > >Description:
> > When a ordinary users tries to analyze bin log using a remote host (-h
> > ip_address) mysql server daemons crahes.
> > >How-To-Repeat:
> > Just use mysqlbinlog to analyze a remote host binlog.
> > mysql -h ip_address -u user -p pass file
> >
> > For instance (My environment):
> > shell> mysql -h 192.168.1.11 -u awp -p root etosha-bin.001
> >
> > >Fix:
> > I lack the required level of expertise to fix it, sorry!
> >
> > >Submitter-Id: <submitter ID>
> > >Originator: Gustavo Rios
> > >Organization: Ifour Sistemas
> >
> > >MySQL support: [none]
> > >Synopsis:
> > >Severity: [ critical ]
> > >Priority: [ high ]
> > >Category: mysql
> > >Class:
> > >Release: mysql-3.23.37 (Source distribution)
> > >Server: /usr/local/bin/mysqladmin Ver 8.19 Distrib 3.23.37, for
> > unknown-freebsdelf4.3 on i386
> > Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
> > This software comes with ABSOLUTELY NO WARRANTY. This is free software,
> > and you are welcome to modify and redistribute it under the GPL license
> >
> > Server version 3.23.37-log
> > Protocol version 10
> > Connection Localhost via UNIX socket
> > UNIX socket /tmp/mysql.sock
> > Uptime: 1 hour 49 min 17 sec
> >
> > Threads: 1 Questions: 10 Slow queries: 0 Opens: 10 Flush tables: 1
> Open
> > tables: 4 Queries per second avg: 0.002
> > >Environment:
> >
> > System: FreeBSD etosha.ifour.com.br 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri
> > Apr 27 13:46:06 GMT 2001
> > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETOSHA i386
> >
> >
> > Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc
> > /usr/bin/cc
> > GCC: Using builtin specs.
> > gcc version 2.95.3 [FreeBSD] 20010315 (release)
> > Compilation info: CC='gcc' CFLAGS='' CXX='gcc'
> > CXXFLAGS='-felide-constructors -fno-exceptions -fno-rtti' LDFLAGS=''
> > LIBC:
> > -r--r--r-- 1 root wheel 1174494 Apr 27 13:26 /usr/lib/libc.a
> > lrwxr-xr-x 1 root wheel 9 Apr 27 13:26 /usr/lib/libc.so -> libc.so.4
> > -r--r--r-- 1 root wheel 561548 Apr 27 13:26 /usr/lib/libc.so.4
> > Configure command:
> >
> ./configure --without-perl --without-debug --with-mit-threads=no --with-lib
> >
> wrap --with-charset=latin1 --with-extra-charsets=none --enable-assembler --w
> > ith-berkeley-db --with-innodb --localstatedir=/var/db/mysql
> > Perl: This is perl, version 5.005_03 built for i386-freebsd
> >
> > ---------------------------------------------------------------------
> > Before posting, please check:
> > http://www.mysql.com/manual.php (the manual)
> > http://lists.mysql.com/ (the list archive)
> >
> > To request this thread, e-mail <[EMAIL PROTECTED]>
> > To unsubscribe, e-mail <[EMAIL PROTECTED]>
> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> >
> >
> >
> > ---------------------------------------------------------------------
> > Before posting, please check:
> > http://www.mysql.com/manual.php (the manual)
> > http://lists.mysql.com/ (the list archive)
> >
> > To request this thread, e-mail <[EMAIL PROTECTED]>
> > To unsubscribe, e-mail
> <[EMAIL PROTECTED]>
> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> >
> >
>
>
>
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
