[debian-mysql] Bug#510875: mysql-server-5.0: does not ask for a password for `root' by default
Thijs Kinkhorst
thijs at debian.org
Mon Jan 5 15:42:38 UTC 2009
severity 510875 important
thanks
Hi Ansgar,
On Mon, January 5, 2009 16:12, Ansgar Burchardt wrote:
> Package: mysql-server-5.0
> Version: 5.0.32-7etch8
> Severity: grave
> Tags: security
> Justification: user security hole
> This results in an empty root password by default.
It is well known that MySQL installations have a default empty root
password. This is clearly documented in the MySQL manual and described in
about every MySQL tutorial or book you will find. Furthermore the MySQL
server is not in the initial configuration accessible remotely.
It is laudable that the Debian package tries to bring this to the
attention of the user and allows them to set one, and I think the
maintainers should give your request due consideration. However, because
of the reason I cite, I do not think we should be treating this as a
"grave user security hole".
Thijs
More information about the pkg-mysql-maint
mailing list