[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Security Advisory - MySQL

Subject: [cobalt-security] Security Advisory - MySQL
From: Jeff Bilicki <jeffb@xxxxxxxxxx>
Date: Sat, 12 Feb 2000 16:50:49 -0800

Cobalt Networks -- Security Advisory -- 02.12.2000

** NOTE **
MySQL does not come installed on any of Cobalt's products.  If you have
not installed MySQL, ignore this security advisory.

Problem: 
From: http://www.securityfocus.com/vdb/bottom.html?vid=975
"A vulnerability exists in the password verification scheme utilized by
MySQL. This vulnerability will allow any user on a machine that has been
granted access to connect to the database to connect as any user to that
database. Instead of having to know an account name and password, the
attacker need only know a legitimate account name. Versions from
3.22.26a and above are vulnerable. Prior versions may too be vulnerable;
this has not been confirmed."

Relevant products and architectures
Product         Architecture    	Vulnerable
Qube1           MIPS                    yes
Qube2           MIPS                    yes
RaQ1            MIPS                    yes
RaQ2            MIPS                    yes
RaQ3            x86                     yes

** NOTE **
MySQL is not supported on any Cobalt platform, these rpms are also
unsupported.  Please read the link below before proceeding.
ftp://ftp.cobaltnet.com/pub/experimental/security/mysql/README

If you want to rebuild from source, you can find the patch I used at:
ftp://ftp.cobaltnet.com/pub/experimental/security/mysql/access.patch

RPMS:
RaQ 1 - RaQ 2 - Qube 2 - Qube 1
ftp://ftp.cobaltnet.com/pub/experimental/security/mysql/mips/
MySQL-3.22.30-1C1.mips.rpm
MySQL-bench-3.22.30-1C1.mips.rpm
MySQL-client-3.22.30-1C1.mips.rpm
MySQL-devel-3.22.30-1C1.mips.rpm

RaQ 3 
ftp://ftp.cobaltnet.com/pub/experimental/security/mysql/i386/
MySQL-3.22.30-1C2.i386.rpm
MySQL-bench-3.22.30-1C2.i386.rpm
MySQL-client-3.22.30-1C2.i386.rpm
MySQL-devel-3.22.30-1C2.i386.rpm
MySQL-shared-3.22.30-1C2.i386.rpm

SRPMS: 
ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/
RaQ 1 - RaQ 2 - Qube 2 - Qube 1
MySQL-3.22.30-1C1.src.rpm

RaQ 3
MySQL-3.22.30-1C2.src.rpm

-
Jeff Bilicki
Software Engineer
Cobalt Networks

Prev by Date: [cobalt-security] New Mailing Lists [ cobalt-announce and cobalt-security ]
Next by Date: [cobalt-security] bind hack
Previous by thread: [cobalt-security] New Mailing Lists [ cobalt-announce and cobalt-security ]
Next by thread: [cobalt-security] bind hack

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index