Re: MySQL security flaws uncovered
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 18 Dec 2002, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? No, it was an internal communication problem - this was the first time I had to handle a security problem and I was not aware, that our PR team did not catch my internal message about the security vulnerability. We will send out an announcement today, which will also be put on the web pages. You can find my initial announcement here: http://lists.mysql.com/cgi-ez/ezmlm-cgi?2:mss:144:200212:cedhfgmdkobfodelamkh Sorry for the confusion - next time I hope to get it straight at once. Bye, LenZ - -- For technical support contracts, visit https://order.mysql.com/?ref=mlgr __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mr. Lenz Grimmer [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer /_/ /_/\_, /___/\___\_\___/ Hamburg, Germany ___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+ACX8SVDhKrJykfIRAgbBAJ9hI3CXVhnExGKnIR76eA/XqpJyiQCfZhHP iB3kePO5YLRO+6wt5Lv5Qf4= =M4MK -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
It's bad for business : ) Maybe they're taking the MS route. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? -- Michael Bacarella | Netgraft Corp | 545 Eighth Ave #401 Systems Analysis | New York, NY 10018 Technical Support | 212 946-1038 | 917 670-6982 Managed Services | http://netgraft.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php -- Michael She : [EMAIL PROTECTED] Mobile : (519) 589-7309 WWW Homepage : http://www.binaryio.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. - Cs. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 18 Dec 2002, Csongor Fagyal wrote: Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. No, this is definately not the case. As I've written in a separate message, we immediately reacted and released 3.23.54 to resolve this issue. The security problem was clearly mentioned in the release announcement that was posted to our announce mailing list: http://lists.mysql.com/cgi-ez/ezmlm-cgi?2:mss:144:200212:cedhfgmdkobfodelamkh But I fully agree - in this case the release announcement should have been put up on the web site as well. This was an error on our side and it will not happen again. We will send out another (more public) announcement later today, which will also be put up on the web pages. Bye, LenZ - -- For technical support contracts, visit https://order.mysql.com/?ref=mlgr __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mr. Lenz Grimmer [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer /_/ /_/\_, /___/\___\_\___/ Hamburg, Germany ___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+AG9dSVDhKrJykfIRAnvDAJ9gmSFlvz5s5Uj+KJryW/xRjUeOiwCfUXsr SQosoQaAyX/msQye8itk12k= =dPgn -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: MySQL security flaws uncovered
The real problem is the lack of a central knowledgebase. Is there one that I'm not aware of? Even if there is, it should be very obvious off the front page of the website. -Original Message- From: Csongor Fagyal [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 5:34 AM To: [EMAIL PROTECTED] Subject: Re: MySQL security flaws uncovered Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. - Cs. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
Csongor, Michael: Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Have a look at the website of the person who uncovered the security flaw: cite Vendor Response 03. December 2002 Vendor was contacted by email. 04. December 2002 Vendor informs me that bugs are fixed and that they started building new packages. 12. December 2002 Vendor has released MySQL 3.23.54 which fixes these vulnerabilities. /cite Doesn't look like the MS way to me. See for yourselves: http://security.e-matters.de/advisories/042002.html Regards, -- Stefan Hinz [EMAIL PROTECTED] CEO / Geschäftsleitung iConnect GmbH http://iConnect.de Heesestr. 6, 12169 Berlin (Germany) Telefon: +49 30 7970948-0 Fax: +49 30 7970948-3 - Original Message - From: Csongor Fagyal [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 18, 2002 11:33 AM Subject: Re: MySQL security flaws uncovered Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. - Cs. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL security flaws uncovered
A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? -- Michael Bacarella | Netgraft Corp | 545 Eighth Ave #401 Systems Analysis | New York, NY 10018 Technical Support | 212 946-1038 | 917 670-6982 Managed Services | http://netgraft.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
