Package: mysql-server-5.0 Version: 5.0.45-1 Severity: important Tags: security
(Tagging +security, as this left me with two password-less root MySQL accounts.) Since some version between sarge and etch, mysql-server-5.0 now creates three MySQL root accounts: [EMAIL PROTECTED], [EMAIL PROTECTED] and [EMAIL PROTECTED] (Is this documented somewhere? Upstream only creates two, according to the manual.) The (only?) recommended way to change the root password, as stated in README.Debian, is to use mysqladmin -u root. This, however, will only modify the password of [EMAIL PROTECTED], and leave the other two as they were. (In my case, since I installed using etch before upgrading to sarge, I ended up with two password-less root accounts that I wasn't aware of, until my next reboot when your check script flagged them.) I'm not all too familiar with the finer working points of MySQL, but is there a need for creating all three root accounts by default? Could this either be skipped, or made optional? Are there any situations where [EMAIL PROTECTED] will not work? Failing that, README.Debian should be updated to either intruct to run mysqladmin thrice, or ditch it and run SQL commands directly (SET PASSWORD or UPDATE). -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-1-k7 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mysql-server-5.0 depends on: ii adduser 3.104 add and remove users and groups ii debconf [debconf-2.0] 1.5.14 Debian configuration management sy ii libc6 2.6-5 GNU C Library: Shared libraries ii libdbi-perl 1.57-1 Perl5 database interface by Tim Bu ii libgcc1 1:4.2.1-1 GCC support library ii libmysqlclient15off 5.0.45-1 MySQL database client library ii libncurses5 5.6+20070716-1 Shared libraries for terminal hand ii libreadline5 5.2-3 GNU readline and history libraries ii libstdc++6 4.2.1-1 The GNU Standard C++ Library v3 ii libwrap0 7.6.dbs-14 Wietse Venema's TCP wrappers libra ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip ii mysql-client-5.0 5.0.45-1 MySQL database client binaries ii mysql-common 5.0.45-1 MySQL database common files ii passwd 1:4.0.18.1-11 change and administer password and ii perl 5.8.8-7 Larry Wall's Practical Extraction ii psmisc 22.5-1 Utilities that use the proc filesy ii zlib1g 1:1.2.3.3.dfsg-5 compression library - runtime Versions of packages mysql-server-5.0 recommends: ii mailx 1:8.1.2-0.20070424cvs-1 A simple mail user agent -- debconf information: mysql-server-5.0/really_downgrade: false mysql-server-5.0/need_sarge_compat: false mysql-server-5.0/start_on_boot: true mysql-server/error_setting_password: mysql-server-5.0/nis_warning: mysql-server-5.0/postrm_remove_databases: false mysql-server-5.0/need_sarge_compat_done: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
