I have been experiencing some environment modifications around about this bug. I am sure that's not related to mysqlbinlog only. It happens because of compilation with support for libwrap. Any other program da do tcp/ip mysql will crash it! Rene Tegel gravada: > > you just did the right thing: you posted an anomaly to the list. that's not bad, >that's good. Thanx for notifying us! > > don't worry about possible abuse, as far as i can see you need a normal mysql >account anyhow in the first place, and if any system administrator would notice such >a user killing the deamon on purpose, he/she'd probably first kick him out off the >system for ever, and then tell him/her he/she could be sewed (or in fact: sew him/her >if there is any damage). > > So, if a system administrator has such users, it's his/hers own mistake. Security is >not made by a system or by mysql, security is made or broken by humans. > > regards, > > rene > > On Mon, 30 Apr 2001 07:28:44 -0300 > Gustavo Vieira Gonçalves Coelho Rios <[EMAIL PROTECTED]> wrote: > > > Hi folks! > > > > Since we(not we, just my account) at Ifour had some problem with email, > > i did'not get all resps to my bug report. > > > > But, by reading some messages, i can see it'was not a good thing to have > > posted the message on the list. Please, forgive for whatever i have > > done. I have just done so, cause that's what is stated in the Manual, > > and since i am a MySQL beginner... i do read the manuals. > > > > Again, i am sorry for any problem i may have caused. > > BTW, what was my mistaken? > > > > > > > > > > Markus Gieppner gravada: > > > > > > Hi Chris, > > > > > > You should not forget those users who depend greatly on the tech support > > > (patches) of the manufacturer. Given your expertise and knowledge you might > > > be able to protect yourself, but not everybody is (as a matter of fact even > > > Gustavo said he isn't). In addition, to make things worse, today is Sunday, > > > and given the usual working hours in most countries, there's a very small > > > chance that someone from AB Konsulting has read this. On the other hand, > > > quite a number of hobby vandals, who spend their free days looking for > > > holes, might have found a nice new toy to play with, and Gustavo even > > > provided the "how-to" . > > > > > > I agree with you on the first point: If this is a known bug, it has to be > > > part of the "known-bug-list" and given it's severity, be stated clearly on > > > the MySQL web site. Crashed server applications often bear the risk of > > > allowing a hacker to execute his own code, thus making such a bug really > > > dangerous, especially for web applications. > > > > > > Your third point is a bit optimistic... Are you really prepared to react > > > immediately to all known or unknown security risks? If you have 10.000 users > > > using your application on a daily basis, or if you have 100 sites running > > > with it, every modification of a core component of your databases requires > > > good planning and careful handling. On a production server you usually don't > > > have the freedom to experiment a lot with your home-made patches. > > > > > > Don't get me wrong, I am not at all opposed to disclosure. This is what > > > makes programs like MySQL, Linux etc. so powerful and more secure than > > > closed-source software. Remember the problems with Interbase, or Hotmail > > > (even better!) or the countless problems on Microsoft programs. It's > > > indispensable to search for bugs, but again, give the manufacturer at least > > > a chance to look into a matter before giving hackers a doorway to crash your > > > machine and worse steal or destroy your data. > > > > > > Markus Gieppner > > > MGF International Inc. > > > > > > -----Original Message----- > > > From: Chris DiBona [mailto:[EMAIL PROTECTED]] > > > Sent: Sunday, April 29, 2001 6:08 PM > > > To: Markus Gieppner > > > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > > Subject: RE: Ordinary users can crash mysql server > > > > > > I disagree with you markus, and here is why.. > > > > > > 1....gustavo probably isn't the only person who has noticed this, so it's > > > fair to say it's already made the round amongst those who arent so nice. > > > > > > 2....this _is_ the mysql list. > > > > > > 3....this way, people can plan for such a problem and button things up > > > until a fix is forthcoming. > > > > > > 4....whether he went to the manufacturer or not, I personally am happy > > > that he posted it, it made me batte ndown a hatch or two. > > > > > > Chris > > > > > > -- > > > Marketing Manager, OSDN Events | http://www.osdn.com > > > Grant Chair, Linux International. | http://www.li.org > > > Co-editor, Open Sources | http://www.dibona.com > > > > > > On Sun, 29 Apr 2001, Markus Gieppner wrote: > > > > > > > Bom dia, Gustavo, > > > > > > > > I am not in a position to comment nor to verify your warning. However, I > > > am > > > > pretty annoyed by the way you make it public to the world. Unless I missed > > > > something here, but when someone discovers a security hole in any program, > > > > it's common standard to contact the manufacturer immediately, directly and > > > > offlist and give him a chance to comment and/or release a patch within a > > > > reasonable timeframe. If then, after a couple of weeks, you didn't get any > > > > response from the manfacturer, you should go public. I don't know if you > > > did > > > > that, if you did I apologize and ask to ignore this message. > > > > > > > > Just imagine what doors you might open to hackers and vandals who always > > > > monitor these lists. (Where else could they get inspiration and necessary > > > > info for their sick minds???)! A major security bug could threaten > > > thousands > > > > of sites all over the world. Responsible and fair handling is a must. > > > > > > > > Obrigado. > > > > > > > > Markus Gieppner > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > > Sent: Sunday, April 29, 2001 11:13 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: Ordinary users can crash mysql server > > > > > > > > > > > > >Description: > > > > When a ordinary users tries to analyze bin log using a remote host (-h > > > > ip_address) mysql server daemons crahes. > > > > >How-To-Repeat: > > > > Just use mysqlbinlog to analyze a remote host binlog. > > > > mysql -h ip_address -u user -p pass file > > > > > > > > For instance (My environment): > > > > shell> mysql -h 192.168.1.11 -u awp -p root etosha-bin.001 > > > > > > > > >Fix: > > > > I lack the required level of expertise to fix it, sorry! > > > > > > > > >Submitter-Id: <submitter ID> > > > > >Originator: Gustavo Rios > > > > >Organization: Ifour Sistemas > > > > > > > > >MySQL support: [none] > > > > >Synopsis: > > > > >Severity: [ critical ] > > > > >Priority: [ high ] > > > > >Category: mysql > > > > >Class: > > > > >Release: mysql-3.23.37 (Source distribution) > > > > >Server: /usr/local/bin/mysqladmin Ver 8.19 Distrib 3.23.37, for > > > > unknown-freebsdelf4.3 on i386 > > > > Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB > > > > This software comes with ABSOLUTELY NO WARRANTY. This is free software, > > > > and you are welcome to modify and redistribute it under the GPL license > > > > > > > > Server version 3.23.37-log > > > > Protocol version 10 > > > > Connection Localhost via UNIX socket > > > > UNIX socket /tmp/mysql.sock > > > > Uptime: 1 hour 49 min 17 sec > > > > > > > > Threads: 1 Questions: 10 Slow queries: 0 Opens: 10 Flush tables: 1 > > > Open > > > > tables: 4 Queries per second avg: 0.002 > > > > >Environment: > > > > > > > > System: FreeBSD etosha.ifour.com.br 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri > > > > Apr 27 13:46:06 GMT 2001 > > > > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETOSHA i386 > > > > > > > > > > > > Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc > > > > /usr/bin/cc > > > > GCC: Using builtin specs. > > > > gcc version 2.95.3 [FreeBSD] 20010315 (release) > > > > Compilation info: CC='gcc' CFLAGS='' CXX='gcc' > > > > CXXFLAGS='-felide-constructors -fno-exceptions -fno-rtti' LDFLAGS='' > > > > LIBC: > > > > -r--r--r-- 1 root wheel 1174494 Apr 27 13:26 /usr/lib/libc.a > > > > lrwxr-xr-x 1 root wheel 9 Apr 27 13:26 /usr/lib/libc.so -> libc.so.4 > > > > -r--r--r-- 1 root wheel 561548 Apr 27 13:26 /usr/lib/libc.so.4 > > > > Configure command: > > > > > > > ./configure --without-perl --without-debug --with-mit-threads=no --with-lib > > > > > > > wrap --with-charset=latin1 --with-extra-charsets=none --enable-assembler --w > > > > ith-berkeley-db --with-innodb --localstatedir=/var/db/mysql > > > > Perl: This is perl, version 5.005_03 built for i386-freebsd > > > > > > > > --------------------------------------------------------------------- > > > > Before posting, please check: > > > > http://www.mysql.com/manual.php (the manual) > > > > http://lists.mysql.com/ (the list archive) > > > > > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > > > To unsubscribe, e-mail <[EMAIL PROTECTED]> > > > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > Before posting, please check: > > > > http://www.mysql.com/manual.php (the manual) > > > > http://lists.mysql.com/ (the list archive) > > > > > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > > > To unsubscribe, e-mail > > > <[EMAIL PROTECTED]> > > > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > > > > > > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail <[EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Ordinary users can crash mysql server
Gustavo Vieira Gonçalves Coelho Rios Mon, 30 Apr 2001 10:00:19 -0700
- Ordinary users can crash mysql server gustavo
- RE: Ordinary users can crash mys... Markus Gieppner
- RE: Ordinary users can crash... Chris DiBona
- RE: Ordinary users can c... Markus Gieppner
- RE: Ordinary users c... Chris DiBona
- Re: Ordinary users c... Gustavo Vieira Gonçalves Coelho Rios
- Re: Ordinary us... Rene Tegel
- Re: Ordinar... Gustavo Vieira Gonçalves Coelho Rios
- Re: Ordinary users can crash mys... Jeremy Zawodny
- Re: Ordinary users can crash mys... Gustavo Rios
