[debian-mysql] Bug#490777: [Secure-testing-team] Bug#490777: binds to any with bind-address=127.0.0.1 if iface lo is not available
Steve Langasek
vorlon at debian.org
Mon Jul 14 13:11:30 UTC 2008
severity 490777 important
thanks
On Mon, Jul 14, 2008 at 11:27:01AM +0200, martin f krafft wrote:
> Package: mysql-server-5.0
> Version: 5.0.32-7etch5
> Severity: critical
> Tags: security etch
"critical" severity is used for:
makes unrelated software on the system (or the whole system) break, or
causes serious data loss, or introduces a security hole on systems where
you install the package.
Installing this package does not cause the described security hole; by
default, mysqld does not bind to TCP at all, and listening on a TCP port is
not a security issue per se in any case.
I'm not sure why you've tagged this bug 'etch' - do you believe the bug to
be resolved in later versions of the package?
> Arguably, this is a problem with the vserver
Yes, a quite frequent problem with vserver...
> but mysqld should definitely not bind to any as a consequence. Instead, it
> should refuse to start.
Yes, definitely.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the pkg-mysql-maint
mailing list