Hi,
On Wed, Mar 21, 2001 at 08:39:55AM +0100, Benjamin Pflugmann wrote:
Sorry to contradict, but have a look:
newton:~ mysql -u root -e "select version()"
+---+
| version() |
+---+
| 3.23.33 |
+---+
8:26:25 newton:~ sudo -u mysql touch /tmp/test # just created
Hi.
On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
Hi!
On Mar 20, Basil Hussain wrote:
Hi all,
The original message below was posted to the BugTraq mailing list. Have the
developers seen this? I know it talks about version mysql-3.20.32a (which is
ancient), but
Hi!
On Mar 21, Benjamin Pflugmann wrote:
Hi.
On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
Hi!
On Mar 20, Basil Hussain wrote:
Hi all,
The original message below was posted to the BugTraq mailing list. Have the
developers seen this? I know it talks
Benjamin Pflugmann writes:
Hi.
On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
Hi!
On Mar 20, Basil Hussain wrote:
Hi all,
The original message below was posted to the BugTraq mailing list. Have the
developers seen this? I know it talks about
Hi.
All your arguments are irrelevant regarding my post: Sergei stated
that MySQL 3.23 would not be vulnerable to the posted exploit and I
proved it is (respecting the rules given in the exploit). I never
argued about the impact of the exploit.
To be true, I am worried about the answers we get.
Benjamin Pflugmann writes:
Hi.
cut
Of course, that why I was explicitly talking about the fact, that the
user needs CREATE privileges (FILE privileges are not needed, If I am
not mistaken).
First of all, it is easy to reproduce a test case.
Second, that FILE privilege I
Hi.
Unfortunatly, again you don't answer to my mail, but only to a side
comment I made. :-(
On Wed, Mar 21, 2001 at 03:37:45PM +0200, [EMAIL PROTECTED] wrote:
Benjamin Pflugmann writes:
Hi.
cut
Of course, that why I was explicitly talking about the fact, that the
user needs CREATE
Benjamin Pflugmann writes:
Hi.
cut
I already agreed (again, in a part of my last mail you did not quote)
that there is room to argue about the probability that someone has to
environment to use it.
Nevertheless, you agree that this behaviour is not intended and should
/ will be
Hi.
On Wed, Mar 21, 2001 at 11:25:01AM +0100, [EMAIL PROTECTED] wrote:
[...]
The original message below was posted to the BugTraq mailing list. Have the
developers seen this? I know it talks about version mysql-3.20.32a (which is
ancient), but he mentions that it affects other
Hi.
On Wed, Mar 21, 2001 at 02:56:42PM +0100, I wrote:
[...]
Nevertheless, you agree that this behaviour is not intended and should
/ will be fixed?
Sergei (implicitly) answered this question in another mail, so you may
consider this thread as closed. I expect no further answer.
Bye,
This isn't a new bug. This was mentioned about a year ago.
Besides, this isn't just a mysqld problem - it's a problem that plagues ANY TCP/IP
based daemon. It's common sys admin sense NOT to run ANY daemon as root unless there
is absolutely, positively NO OTHER WAY to get it to run properly.
Benjamin Pflugmann wrote:
Hi.
All your arguments are irrelevant regarding my post: Sergei stated
that MySQL 3.23 would not be vulnerable to the posted exploit and I
proved it is (respecting the rules given in the exploit). I never
argued about the impact of the exploit.
To be true, I
I think that Benjamin was trying to make a point here regarding an easily reproducible
scenario (I don't care if you wanna call it a "security flaw" or a "flying pig") under
some conditions which are not that hard to come upon in the real world.
The problem that really comes to mind is that
Hi!
On Mar 20, Basil Hussain wrote:
Hi all,
The original message below was posted to the BugTraq mailing list. Have the
developers seen this? I know it talks about version mysql-3.20.32a (which is
ancient), but he mentions that it affects other versions.
Anyway, I don't run my MySQL
14 matches
Mail list logo