Hi folks! Since we(not we, just my account) at Ifour had some problem with email, i did'not get all resps to my bug report. But, by reading some messages, i can see it'was not a good thing to have posted the message on the list. Please, forgive for whatever i have done. I have just done so, cause that's what is stated in the Manual, and since i am a MySQL beginner... i do read the manuals. Again, i am sorry for any problem i may have caused. BTW, what was my mistaken? Markus Gieppner gravada: > > Hi Chris, > > You should not forget those users who depend greatly on the tech support > (patches) of the manufacturer. Given your expertise and knowledge you might > be able to protect yourself, but not everybody is (as a matter of fact even > Gustavo said he isn't). In addition, to make things worse, today is Sunday, > and given the usual working hours in most countries, there's a very small > chance that someone from AB Konsulting has read this. On the other hand, > quite a number of hobby vandals, who spend their free days looking for > holes, might have found a nice new toy to play with, and Gustavo even > provided the "how-to" . > > I agree with you on the first point: If this is a known bug, it has to be > part of the "known-bug-list" and given it's severity, be stated clearly on > the MySQL web site. Crashed server applications often bear the risk of > allowing a hacker to execute his own code, thus making such a bug really > dangerous, especially for web applications. > > Your third point is a bit optimistic... Are you really prepared to react > immediately to all known or unknown security risks? If you have 10.000 users > using your application on a daily basis, or if you have 100 sites running > with it, every modification of a core component of your databases requires > good planning and careful handling. On a production server you usually don't > have the freedom to experiment a lot with your home-made patches. > > Don't get me wrong, I am not at all opposed to disclosure. This is what > makes programs like MySQL, Linux etc. so powerful and more secure than > closed-source software. Remember the problems with Interbase, or Hotmail > (even better!) or the countless problems on Microsoft programs. It's > indispensable to search for bugs, but again, give the manufacturer at least > a chance to look into a matter before giving hackers a doorway to crash your > machine and worse steal or destroy your data. > > Markus Gieppner > MGF International Inc. > > -----Original Message----- > From: Chris DiBona [mailto:[EMAIL PROTECTED]] > Sent: Sunday, April 29, 2001 6:08 PM > To: Markus Gieppner > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Ordinary users can crash mysql server > > I disagree with you markus, and here is why.. > > 1....gustavo probably isn't the only person who has noticed this, so it's > fair to say it's already made the round amongst those who arent so nice. > > 2....this _is_ the mysql list. > > 3....this way, people can plan for such a problem and button things up > until a fix is forthcoming. > > 4....whether he went to the manufacturer or not, I personally am happy > that he posted it, it made me batte ndown a hatch or two. > > Chris > > -- > Marketing Manager, OSDN Events | http://www.osdn.com > Grant Chair, Linux International. | http://www.li.org > Co-editor, Open Sources | http://www.dibona.com > > On Sun, 29 Apr 2001, Markus Gieppner wrote: > > > Bom dia, Gustavo, > > > > I am not in a position to comment nor to verify your warning. However, I > am > > pretty annoyed by the way you make it public to the world. Unless I missed > > something here, but when someone discovers a security hole in any program, > > it's common standard to contact the manufacturer immediately, directly and > > offlist and give him a chance to comment and/or release a patch within a > > reasonable timeframe. If then, after a couple of weeks, you didn't get any > > response from the manfacturer, you should go public. I don't know if you > did > > that, if you did I apologize and ask to ignore this message. > > > > Just imagine what doors you might open to hackers and vandals who always > > monitor these lists. (Where else could they get inspiration and necessary > > info for their sick minds???)! A major security bug could threaten > thousands > > of sites all over the world. Responsible and fair handling is a must. > > > > Obrigado. > > > > Markus Gieppner > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Sunday, April 29, 2001 11:13 AM > > To: [EMAIL PROTECTED] > > Subject: Ordinary users can crash mysql server > > > > > > >Description: > > When a ordinary users tries to analyze bin log using a remote host (-h > > ip_address) mysql server daemons crahes. > > >How-To-Repeat: > > Just use mysqlbinlog to analyze a remote host binlog. > > mysql -h ip_address -u user -p pass file > > > > For instance (My environment): > > shell> mysql -h 192.168.1.11 -u awp -p root etosha-bin.001 > > > > >Fix: > > I lack the required level of expertise to fix it, sorry! > > > > >Submitter-Id: <submitter ID> > > >Originator: Gustavo Rios > > >Organization: Ifour Sistemas > > > > >MySQL support: [none] > > >Synopsis: > > >Severity: [ critical ] > > >Priority: [ high ] > > >Category: mysql > > >Class: > > >Release: mysql-3.23.37 (Source distribution) > > >Server: /usr/local/bin/mysqladmin Ver 8.19 Distrib 3.23.37, for > > unknown-freebsdelf4.3 on i386 > > Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB > > This software comes with ABSOLUTELY NO WARRANTY. This is free software, > > and you are welcome to modify and redistribute it under the GPL license > > > > Server version 3.23.37-log > > Protocol version 10 > > Connection Localhost via UNIX socket > > UNIX socket /tmp/mysql.sock > > Uptime: 1 hour 49 min 17 sec > > > > Threads: 1 Questions: 10 Slow queries: 0 Opens: 10 Flush tables: 1 > Open > > tables: 4 Queries per second avg: 0.002 > > >Environment: > > > > System: FreeBSD etosha.ifour.com.br 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri > > Apr 27 13:46:06 GMT 2001 > > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETOSHA i386 > > > > > > Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc > > /usr/bin/cc > > GCC: Using builtin specs. > > gcc version 2.95.3 [FreeBSD] 20010315 (release) > > Compilation info: CC='gcc' CFLAGS='' CXX='gcc' > > CXXFLAGS='-felide-constructors -fno-exceptions -fno-rtti' LDFLAGS='' > > LIBC: > > -r--r--r-- 1 root wheel 1174494 Apr 27 13:26 /usr/lib/libc.a > > lrwxr-xr-x 1 root wheel 9 Apr 27 13:26 /usr/lib/libc.so -> libc.so.4 > > -r--r--r-- 1 root wheel 561548 Apr 27 13:26 /usr/lib/libc.so.4 > > Configure command: > > > ./configure --without-perl --without-debug --with-mit-threads=no --with-lib > > > wrap --with-charset=latin1 --with-extra-charsets=none --enable-assembler --w > > ith-berkeley-db --with-innodb --localstatedir=/var/db/mysql > > Perl: This is perl, version 5.005_03 built for i386-freebsd > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail <[EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail > <[EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Ordinary users can crash mysql server
Gustavo Vieira Gonçalves Coelho Rios Mon, 30 Apr 2001 03:13:56 -0700
- Ordinary users can crash mysql server gustavo
- RE: Ordinary users can crash mys... Markus Gieppner
- RE: Ordinary users can crash... Chris DiBona
- RE: Ordinary users can c... Markus Gieppner
- RE: Ordinary users c... Chris DiBona
- Re: Ordinary users c... Gustavo Vieira Gonçalves Coelho Rios
- Re: Ordinary us... Rene Tegel
- Re: Ordinar... Gustavo Vieira Gonçalves Coelho Rios
- Re: Ordinary users can crash mys... Jeremy Zawodny
- Re: Ordinary users can crash mys... Gustavo Rios