[debian-mysql] Bug#536548: mysql-dfsg-5.0: Updated 45_warn-CLI-passwords.dpatch for 5.0.83
Mathias Gug
mathiaz at ubuntu.com
Sat Jul 11 01:23:08 UTC 2009
Package: mysql-dfsg-5.0
Version: 5.0.83-1
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch
I've attached an updated version of 45_warn-CLI-passwords.dpatch so that
it applies cleanly to 5.0.83.
-- System Information:
Debian Release: squeeze/sid
APT prefers karmic-updates
APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-24-server (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
--- debian/patches/45_warn-CLI-passwords.dpatch 2009-02-15 16:44:02 +0000
+++ debian/patches/45_warn-CLI-passwords.dpatch 2009-07-10 21:27:07 +0000
@@ -5,10 +5,22 @@
## DP: warn-CLI-passwords
@DPATCH@
-
---- old/client/mysqladmin.cc.orig 2005-11-15 01:12:30.000000000 +0100
-+++ new/client/mysqladmin.cc 2005-11-22 00:17:41.327082273 +0100
-@@ -154,7 +154,7 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysql.cc mysql-dfsg-5.0-5.1.30really5.0.83/client/mysql.cc
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysql.cc 2009-05-29 14:15:31.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysql.cc 2009-07-10 17:24:45.000000000 -0400
+@@ -1395,7 +1395,7 @@
+ 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
+ #endif
+ {"password", 'p',
+- "Password to use when connecting to server. If password is not given it's asked from the tty.",
++ "Password to use when connecting to server. If password is not given it's asked from the tty. WARNING: This is insecure as the password is visible for anyone through /proc for a short time.",
+ 0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
+ #ifdef __WIN__
+ {"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqladmin.cc mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqladmin.cc
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqladmin.cc 2009-05-29 14:15:31.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqladmin.cc 2009-07-10 17:24:45.000000000 -0400
+@@ -153,7 +153,7 @@
{"host", 'h', "Connect to host.", (gptr*) &host, (gptr*) &host, 0, GET_STR,
REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
{"password", 'p',
@@ -17,20 +29,10 @@
0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
#ifdef __WIN__
{"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
---- old/client/mysql.cc.orig 2005-11-15 01:12:45.000000000 +0100
-+++ new/client/mysql.cc 2005-11-22 00:17:41.329082230 +0100
-@@ -621,7 +621,7 @@
- 0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
- #endif
- {"password", 'p',
-- "Password to use when connecting to server. If password is not given it's asked from the tty.",
-+ "Password to use when connecting to server. If password is not given it's asked from the tty. WARNING: This is insecure as the password is visible for anyone through /proc for a short time.",
- 0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
- #ifdef __WIN__
- {"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
---- old/client/mysqldump.c.orig 2005-11-15 01:12:38.000000000 +0100
-+++ new/client/mysqldump.c 2005-11-22 00:17:41.332082165 +0100
-@@ -323,7 +323,7 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqldump.c mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqldump.c
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqldump.c 2009-05-29 14:15:32.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqldump.c 2009-07-10 17:24:45.000000000 -0400
+@@ -357,7 +357,7 @@
"Sorts each table's rows by primary key, or first unique key, if such a key exists. Useful when dumping a MyISAM table to be loaded into an InnoDB table, but will make the dump itself take considerably longer.",
(gptr*) &opt_order_by_primary, (gptr*) &opt_order_by_primary, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
{"password", 'p',
@@ -39,19 +41,103 @@
0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
#ifdef __WIN__
{"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
---- old/client/mysqlshow.c.orig 2005-11-15 01:12:47.000000000 +0100
-+++ new/client/mysqlshow.c 2005-11-22 00:17:41.333082144 +0100
-@@ -185,7 +185,7 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqlshow.c mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqlshow.c
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/client/mysqlshow.c 2009-05-29 14:15:32.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/client/mysqlshow.c 2009-07-10 17:24:45.000000000 -0400
+@@ -186,7 +186,7 @@
{"keys", 'k', "Show keys for table.", (gptr*) &opt_show_keys,
(gptr*) &opt_show_keys, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
{"password", 'p',
- "Password to use when connecting to server. If password is not given it's asked from the tty.",
+ "Password to use when connecting to server. If password is not given it's asked from the tty. WARNING: Providing a password on command line is insecure as it is visible through /proc to anyone for a short time.",
0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
- {"port", 'P', "Port number to use for connection.", (gptr*) &opt_mysql_port,
- (gptr*) &opt_mysql_port, 0, GET_UINT, REQUIRED_ARG, MYSQL_PORT, 0, 0, 0, 0,
---- old/scripts/mysqlaccess.sh.orig 2005-11-15 01:12:32.000000000 +0100
-+++ new/scripts/mysqlaccess.sh 2005-11-22 00:17:41.352081736 +0100
+ {"port", 'P', "Port number to use for connection or 0 for default to, in "
+ "order of preference, my.cnf, $MYSQL_TCP_PORT, "
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_convert_table_format.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_convert_table_format.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_convert_table_format.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_convert_table_format.sh 2009-07-10 17:24:50.000000000 -0400
+@@ -121,6 +121,8 @@
+
+ --password='password'
+ Password for the current user.
++ WARNING: Providing a password on command line is insecure as it is visible
++ through /proc to anyone for a short time.
+
+ --port=port
+ TCP/IP port to connect to if host is not "localhost".
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_explain_log.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_explain_log.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_explain_log.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_explain_log.sh 2009-07-10 17:24:51.000000000 -0400
+@@ -342,6 +342,9 @@
+ The MySQL username to use when connecting to the server
+ --password=PASSWORD, -p=PASSWORD
+ The password to use when connecting to the server
++ WARNING: Providing a password on command line is
++ insecure as it is visible through /proc to anyone
++ for a short time.
+ --socket=SOCKET, -s=SOCKET
+ The socket file to use when connecting to the server
+ --printerror=1, -e 1
+@@ -380,7 +383,7 @@
+
+ =head1 USAGE
+
+-mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw] [--socket=/path/to/socket] [--printerror=1] < logfile
++mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw (INSECURE)] [--socket=/path/to/socket] [--printerror=1] < logfile
+
+ --help, -h
+ Display this help message
+@@ -392,6 +395,8 @@
+ The MySQL username to use when connecting to the server
+ --password=PASSWORD, -p=PASSWORD
+ The password to use when connecting to the server
++ WARNING: Providing a password on command line is insecure
++ as it is visible through /proc to anyone for a short time.
+ --socket=SOCKET, -s=SOCKET
+ The socket file to use when connecting to the server
+ --printerror=1, -e 1
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_fix_privilege_tables.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_fix_privilege_tables.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_fix_privilege_tables.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_fix_privilege_tables.sh 2009-07-10 17:24:51.000000000 -0400
+@@ -49,6 +49,10 @@
+
+ case "$1" in
+ --no-defaults|--defaults-file=*|--defaults-extra-file=*)
++#
++# WARNING: Providing a password on command line is insecure as it is visible
++# through /proc to anyone for a short time.
++#
+ defaults="$1"; shift
+ ;;
+ esac
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_setpermission.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_setpermission.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_setpermission.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_setpermission.sh 2009-07-10 17:24:51.000000000 -0400
+@@ -641,6 +641,9 @@
+
+ --user : is the username to connect with.
+ --password : the password of the username.
++ WARNING: Providing a password on command line is
++ insecure as it is visible through /proc to anyone
++ for a short time.
+ --host : the host to connect to.
+ --socket : the socket to connect to.
+ --port : the port number of the host to connect to.
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_tableinfo.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_tableinfo.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysql_tableinfo.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysql_tableinfo.sh 2009-07-10 17:24:51.000000000 -0400
+@@ -462,6 +462,8 @@
+ =item -p, --password=#
+
+ password to use when connecting to server
++WARNING: Providing a password on command line is insecure as it is visible
++through /proc to anyone for a short time.
+
+ =item -h, --host=#
+
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlaccess.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlaccess.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlaccess.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlaccess.sh 2009-07-10 17:24:45.000000000 -0400
@@ -74,11 +74,17 @@
-u, --user=# username for logging in to the db
@@ -70,20 +156,10 @@
-H, --rhost=# remote MySQL-server to connect to
--old_server connect to old MySQL-server (before v3.21) which
does not yet know how to handle full where clauses.
---- old/scripts/mysql_convert_table_format.sh.orig 2005-11-15 01:12:45.000000000 +0100
-+++ new/scripts/mysql_convert_table_format.sh 2005-11-22 00:17:41.353081714 +0100
-@@ -107,6 +107,8 @@
-
- --password='password'
- Password for the current user.
-+ WARNING: Providing a password on command line is insecure as it is visible
-+ through /proc to anyone for a short time.
-
- --port=port
- TCP/IP port to connect to if host is not "localhost".
---- old/scripts/mysqld_multi.sh.orig 2005-11-15 01:12:46.000000000 +0100
-+++ new/scripts/mysqld_multi.sh 2005-11-22 00:17:41.355081671 +0100
-@@ -730,6 +730,9 @@
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqld_multi.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqld_multi.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqld_multi.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqld_multi.sh 2009-07-10 17:24:50.000000000 -0400
+@@ -675,6 +675,9 @@
mysqladmin = /path/to/mysqladmin/mysqladmin
socket = /tmp/mysql.sock3
port = 3308
@@ -93,21 +169,9 @@
pid-file = @localstatedir at 3/hostname.pid3
datadir = @localstatedir at 3
language = @datadir@/mysql/swedish
---- old/scripts/mysql_fix_privilege_tables.sh.orig 2005-11-15 01:12:47.000000000 +0100
-+++ new/scripts/mysql_fix_privilege_tables.sh 2005-11-22 00:17:41.357081628 +0100
-@@ -33,6 +33,10 @@
-
- case "$1" in
- --no-defaults|--defaults-file=*|--defaults-extra-file=*)
-+#
-+# WARNING: Providing a password on command line is insecure as it is visible
-+# through /proc to anyone for a short time.
-+#
- defaults="$1"; shift
- ;;
- esac
---- old/scripts/mysqlhotcopy.sh.orig 2005-11-15 01:12:47.000000000 +0100
-+++ new/scripts/mysqlhotcopy.sh 2005-11-22 00:17:41.358081607 +0100
+diff -urNad mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlhotcopy.sh mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlhotcopy.sh
+--- mysql-dfsg-5.0-5.1.30really5.0.83~/scripts/mysqlhotcopy.sh 2009-05-29 14:19:19.000000000 -0400
++++ mysql-dfsg-5.0-5.1.30really5.0.83/scripts/mysqlhotcopy.sh 2009-07-10 17:26:06.000000000 -0400
@@ -32,6 +32,7 @@
mysqlhotcopy --method='scp -Bq -i /usr/home/foo/.ssh/identity' --user=root --password=secretpassword \
@@ -123,12 +187,12 @@
+ WARNING: Providing a password on command line is
+ insecure as it is visible through /proc to anyone
+ for a short time.
- -h, --host=# Hostname for local server when connecting over TCP/IP
+ -h, --host=# hostname for local server when connecting over TCP/IP
-P, --port=# port to use when connecting to local server with TCP/IP
-S, --socket=# socket to use when connecting to local server
-@@ -1025,6 +1029,9 @@
+@@ -961,6 +965,9 @@
one of the config files, normally /etc/my.cnf or your personal ~/.my.cnf.
- (See the chapter 'my.cnf Option Files' in the manual)
+ (See the chapter 'my.cnf Option Files' in the manual.)
+WARNING: Providing a password on command line is insecure as it is visible
+through /proc to anyone for a short time.
@@ -136,56 +200,3 @@
=item -h, -h, --host=#
Hostname for local server when connecting over TCP/IP. By specifying this
---- old/scripts/mysql_setpermission.sh.orig 2005-11-15 01:12:30.000000000 +0100
-+++ new/scripts/mysql_setpermission.sh 2005-11-22 00:17:41.359081585 +0100
-@@ -647,6 +647,9 @@
-
- --user : is the username to connect with.
- --password : the password of the username.
-+ WARNING: Providing a password on command line is
-+ insecure as it is visible through /proc to anyone
-+ for a short time.
- --host : the host to connect to.
- --socket : the socket to connect to.
- --port : the port number of the host to connect to.
---- old/scripts/mysql_tableinfo.sh.orig 2005-11-15 01:12:32.000000000 +0100
-+++ new/scripts/mysql_tableinfo.sh 2005-11-22 00:17:41.360081564 +0100
-@@ -462,6 +462,8 @@
- =item -p, --password=#
-
- password to use when connecting to server
-+WARNING: Providing a password on command line is insecure as it is visible
-+through /proc to anyone for a short time.
-
- =item -h, --host=#
-
---- old/scripts/mysql_explain_log.sh 2007-02-20 18:49:37.000000000 +0100
-+++ new/scripts/mysql_explain_log.sh 2007-03-22 22:32:26.000000000 +0100
-@@ -341,6 +341,9 @@
- The MySQL username to use when connecting to the server
- --password=PASSWORD, -p=PASSWORD
- The password to use when connecting to the server
-+ WARNING: Providing a password on command line is
-+ insecure as it is visible through /proc to anyone
-+ for a short time.
- --socket=SOCKET, -s=SOCKET
- The socket file to use when connecting to the server
- --printerror=1, -e 1
-@@ -379,7 +382,7 @@
-
- =head1 USAGE
-
--mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw] [--socket=/path/to/socket] [--printerror=1] < logfile
-+mysql_explain_log [--date=YYMMDD] --host=dbhost] [--user=dbuser] [--password=dbpw (INSECURE)] [--socket=/path/to/socket] [--printerror=1] < logfile
-
- --help, -h
- Display this help message
-@@ -391,6 +394,8 @@
- The MySQL username to use when connecting to the server
- --password=PASSWORD, -p=PASSWORD
- The password to use when connecting to the server
-+ WARNING: Providing a password on command line is insecure
-+ as it is visible through /proc to anyone for a short time.
- --socket=SOCKET, -s=SOCKET
- The socket file to use when connecting to the server
- --printerror=1, -e 1
More information about the pkg-mysql-maint
mailing list