This one time, at band camp, Anon Sricharoenchai said: > Package: phpmyadmin > Version: 4:2.6.2-3sarge5 > Severity: critical > Justification: root security hole > Tags: security patch > > Since, phpmyadmin is on apache, and apache can be accessed from remote > host, so remote host can access mysql's [EMAIL PROTECTED] via phpmyadmin. > This will break mysql security policy.
Really? As you yourself noted, the default install doesn't give fewer privileges to [EMAIL PROTECTED] over [EMAIL PROTECTED] I don't see a privilege escalation for the normal install here, so I don't see how this is a security problem or a grave bug. I agree it's a useful patch to allow admins to decrease the privilege of [EMAIL PROTECTED] if they prefer. I am not involved in phpmyadmin maintenance, so I won't do any bug triage beyond this comment, but I suggest downgrading to wishlist, retitiling "I would like to be able to discover if this is a remote connection", and removing the security tag. Take care, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
