aboutsummaryrefslogtreecommitdiff
path: root/share/security/advisories/FreeBSD-SA-00:05.mysql.asc
diff options
context:
space:
mode:
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-00:05.mysql.asc')
-rw-r--r--share/security/advisories/FreeBSD-SA-00:05.mysql.asc92
1 files changed, 92 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-00:05.mysql.asc b/share/security/advisories/FreeBSD-SA-00:05.mysql.asc
new file mode 100644
index 0000000000..a8f0768081
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-00:05.mysql.asc
@@ -0,0 +1,92 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+=============================================================================
+FreeBSD-SA-00:05 Security Advisory
+ FreeBSD, Inc.
+
+Topic: MySQL allows bypassing of password authentication
+
+Category: ports
+Module: mysql322-server
+Announced: 2000-02-28
+Affects: Ports collection before the correction date.
+Corrected: 2000-02-15
+FreeBSD only: NO
+
+I. Background
+
+MySQL is a popular SQL database client/server distributed as part of the
+FreeBSD ports collection.
+
+II. Problem Description
+
+The MySQL database server (versions prior to 3.22.32) has a flaw in the
+password authentication mechanism which allows anyone who can connect to
+the server to access databases without requiring a password, given a valid
+username on the database - in other words, the normal password
+authentication mechanism can be completely bypassed.
+
+MySQL is not installed by default, nor is it "part of FreeBSD" as such: it
+is part of the FreeBSD ports collection, which contains over 3100
+third-party applications in a ready-to-install format.
+
+FreeBSD makes no claim about the security of these third-party
+applications, although an effort is underway to provide a security audit
+of the most security-critical ports.
+
+III. Impact
+
+The successful attacker will have all of the access rights of that
+database user and may be able to read, add or modify records.
+
+If you have not chosen to install the mysql322-server port/package, then
+your system is not vulnerable.
+
+IV. Workaround
+
+Use appropriate access-control lists to limit which hosts can initiate
+connections to MySQL databases - see:
+
+http://www.mysql.com/Manual_chapter/manual_Privilege_system.html
+
+for more information. If unrestricted remote access to the database is not
+required, consider using ipfw(8) or ipf(8), or your network perimeter
+firewall, to prevent remote access to the database from untrusted machines
+(MySQL uses TCP port 3306 for network communication). Note that users who
+have access to machines which are allowed to initiate database connections
+(e.g. local users) can still exploit the security hole.
+
+V. Solution
+
+One of the following:
+
+1) Upgrade your entire ports collection and rebuild the mysql322-server
+port.
+
+2) Reinstall a new package obtained from:
+
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-server-3.22.32.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/mysql-server-3.22.32.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/mysql-server-3.22.32.tgz
+
+3) download a new port skeleton for the mysql322-server port from:
+
+http://www.freebsd.org/ports/
+
+and use it to rebuild the port.
+
+4) Use the portcheckout utility to automate option (3) above. The
+portcheckout port is available in /usr/ports/devel/portcheckout or the
+package can be obtained from:
+
+ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.2
+
+iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D
+u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3
+SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng
+vzxtva695bI=
+=KYqf
+-----END PGP SIGNATURE-----
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-05 01:56:20 +0000