Hi,
On Wed, Mar 21, 2001 at 08:39:55AM +0100, Benjamin Pflugmann wrote:
> Sorry to contradict, but have a look:
>
> newton:~> mysql -u root -e "select version()"
> +---+
> | version() |
> +---+
> | 3.23.33 |
> +---+
> 8:26:25 newton:~> sudo -u mysql touch /tmp/test # ju
I think that Benjamin was trying to make a point here regarding an easily reproducible
scenario (I don't care if you wanna call it a "security flaw" or a "flying pig") under
some conditions which are not that hard to come upon in the real world.
The problem that really comes to mind is that som
Benjamin Pflugmann wrote:
>
> Hi.
>
> All your arguments are irrelevant regarding my post: Sergei stated
> that MySQL 3.23 would not be vulnerable to the posted exploit and I
> proved it is (respecting the rules given in the exploit). I never
> argued about the impact of the exploit.
>
> To be
This isn't a new bug. This was mentioned about a year ago.
Besides, this isn't just a mysqld problem - it's a problem that plagues ANY TCP/IP
based daemon. It's common sys admin sense NOT to run ANY daemon as root unless there
is absolutely, positively NO OTHER WAY to get it to run properly.
Hi.
On Wed, Mar 21, 2001 at 02:56:42PM +0100, I wrote:
[...]
> Nevertheless, you agree that this behaviour is not intended and should
> / will be fixed?
Sergei (implicitly) answered this question in another mail, so you may
consider this thread as closed. I expect no further answer.
Bye,
Hi.
On Wed, Mar 21, 2001 at 11:25:01AM +0100, [EMAIL PROTECTED] wrote:
[...]
> > > > The original message below was posted to the BugTraq mailing list. Have the
> > > > developers seen this? I know it talks about version mysql-3.20.32a (which is
> > > > ancient), but he mentions that it affects o
Benjamin Pflugmann writes:
> Hi.
> I already agreed (again, in a part of my last mail you did not quote)
> that there is room to argue about the probability that someone has to
> environment to use it.
>
> Nevertheless, you agree that this behaviour is not intended and should
> / will be
Hi.
Unfortunatly, again you don't answer to my mail, but only to a side
comment I made. :-(
On Wed, Mar 21, 2001 at 03:37:45PM +0200, [EMAIL PROTECTED] wrote:
> Benjamin Pflugmann writes:
> > Hi.
>
> > Of course, that why I was explicitly talking about the fact, that the
> > user needs CREA
Benjamin Pflugmann writes:
> Hi.
> Of course, that why I was explicitly talking about the fact, that the
> user needs CREATE privileges (FILE privileges are not needed, If I am
> not mistaken).
>
>
>
>
First of all, it is easy to reproduce a test case.
Second, that FILE privilege
Hi.
All your arguments are irrelevant regarding my post: Sergei stated
that MySQL 3.23 would not be vulnerable to the posted exploit and I
proved it is (respecting the rules given in the exploit). I never
argued about the impact of the exploit.
To be true, I am worried about the answers we get.
Benjamin Pflugmann writes:
> Hi.
>
> On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
> > Hi!
> >
> > On Mar 20, Basil Hussain wrote:
> > > Hi all,
> > >
> > > The original message below was posted to the BugTraq mailing list. Have the
> > > developers seen this? I k
Hi!
On Mar 21, Benjamin Pflugmann wrote:
> Hi.
>
> On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
> > Hi!
> >
> > On Mar 20, Basil Hussain wrote:
> > > Hi all,
> > >
> > > The original message below was posted to the BugTraq mailing list. Have the
> > > developers seen this
Hi.
On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
> Hi!
>
> On Mar 20, Basil Hussain wrote:
> > Hi all,
> >
> > The original message below was posted to the BugTraq mailing list. Have the
> > developers seen this? I know it talks about version mysql-3.20.32a (which is
> > a
Hi!
On Mar 20, Basil Hussain wrote:
> Hi all,
>
> The original message below was posted to the BugTraq mailing list. Have the
> developers seen this? I know it talks about version mysql-3.20.32a (which is
> ancient), but he mentions that it affects other versions.
>
> Anyway, I don't run my MyS
14 matches
Mail list logo
