[debian-mysql] Bug#490777: [Secure-testing-team] Bug#490777: binds to any with bind-address=127.0.0.1 if iface lo is not available

[martin f krafft]

also sprach Steve Langasek <vorlon at debian.org> [2008.07.14.1511 +0200]:
> "critical" severity is used for:
> 
>   makes unrelated software on the system (or the whole system) break, or
>   causes serious data loss, or introduces a security hole on systems where
>   you install the package.
> 
> Installing this package does not cause the described security hole; by
> default, mysqld does not bind to TCP at all, and listening on a TCP port is
> not a security issue per se in any case.

This is not true. If you install the etch version, it binds to
127.0.0.1, or to any if lo is not available.

Even if there is no exploitable security hole at the moment, it's
a hole nevertheless. I don't trust mysqld at all, so if I hadn't
inspected this system closely before taking it live, I would have
been hit by something unexpected.

I won't play ping pong, but I believe the critical severity was
justified. I hope this will get fixed for etch in a security update,
and I certainly hope lenny won't ship mysqld with that hole.

> I'm not sure why you've tagged this bug 'etch' - do you believe the bug to
> be resolved in later versions of the package?

No idea. I thought since I found it on etch, I'd tag it etch. Does
'etch' suggest 'etch-only' ??

-- 
 .''`.   martin f. krafft <madduck at debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
 
if god is perfect, why did he create discontinuous functions?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
Url : http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20080714/ff348c67/attachment.pgp