[debian-mysql] Bug#490777: [Secure-testing-team] Bug#490777: binds to any with bind-address=127.0.0.1 if iface lo is not available

[Steve Langasek]

tags 490777 -etch
thanks

On Mon, Jul 14, 2008 at 03:20:33PM +0200, martin f krafft wrote:
> This is not true. If you install the etch version, it binds to
> 127.0.0.1, or to any if lo is not available.

Ah - I see that you're correct.  That's apparently a regression vs. sarge
that I wasn't aware of.

> Even if there is no exploitable security hole at the moment, it's
> a hole nevertheless. I don't trust mysqld at all, so if I hadn't
> inspected this system closely before taking it live, I would have
> been hit by something unexpected.

"I don't trust mysqld" is not a proven security hole. <shrug>

> I won't play ping pong, but I believe the critical severity was
> justified. I hope this will get fixed for etch in a security update,
> and I certainly hope lenny won't ship mysqld with that hole.

Well, at present you've filed the bug on etch only.  (In addition to the
stray suite tag, it's also marked as only being found in a package version
which is not an ancestor of the lenny package; you might want to fix that up
with a 'found' command referencing an appropriate lenny version which also
shows this bug.

> > I'm not sure why you've tagged this bug 'etch' - do you believe the bug to
> > be resolved in later versions of the package?

> No idea. I thought since I found it on etch, I'd tag it etch. Does
> 'etch' suggest 'etch-only' ??

Yes.  You should not use suite tags in the general case.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org