Your message dated Mon, 26 Sep 2005 20:23:55 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#330164: mysql-server-4.1: Authentication bypass
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Sep 2005 13:06:30 +0000
>From [EMAIL PROTECTED] Mon Sep 26 06:06:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from box79162.elkhouse.de [213.9.79.162]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EJsgg-0007kA-00; Mon, 26 Sep 2005 06:06:30 -0700
Received: from localhost.localdomain (unknown [195.227.105.180])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Martin Pitt (workstation)", Issuer "piware CA" (verified
OK))
by box79162.elkhouse.de (Postfix) with ESMTP id D24C019637E
for <[EMAIL PROTECTED]>; Mon, 26 Sep 2005 15:05:54 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
id A3A951FDA9; Mon, 26 Sep 2005 15:05:51 +0200 (CEST)
Date: Mon, 26 Sep 2005 15:05:51 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: Debian BTS Submit <[EMAIL PROTECTED]>
Subject: mysql-server-4.1: Authentication bypass
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: mysql-server-4.1
Version: 4.1.12-1
Severity: grave
Tags: security
Hi Christian!
MySQL 4.1 and 5.0 are prone to an authentication bypass:
http://www.nextgenss.com/advisories/mysql-authbypass.txt
4.0 seems to be unaffected. There is no CAN number yet.
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
--SLDf9lqlvOQaIe6s
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDN/IvDecnbV4Fd/IRAgeGAJ4mMcalYeZSsDAktg9DBTrwhQwxeACg6KlX
G8daD91sb6FWhDtAGBp/UsE=
=cZEj
-----END PGP SIGNATURE-----
--SLDf9lqlvOQaIe6s--
---------------------------------------
Received: (at 330164-done) by bugs.debian.org; 26 Sep 2005 18:24:16 +0000
>From [EMAIL PROTECTED] Mon Sep 26 11:24:16 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail3b.westend.com (mail3b2.westend.com) [212.117.79.78]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EJxeC-0002Dg-00; Mon, 26 Sep 2005 11:24:16 -0700
Received: from localhost (localhost [127.0.0.1])
by mail3b2.westend.com (Postfix) with ESMTP id 94C6A1212B4;
Mon, 26 Sep 2005 20:24:14 +0200 (CEST)
Received: from mail3b2.westend.com ([127.0.0.1])
by localhost (mail3b [127.0.0.1]) (amavisd-new, port 20024)
with ESMTP id 27036-09; Mon, 26 Sep 2005 20:23:56 +0200 (CEST)
Received: from app109.intern (gate.lathspell.de [212.117.68.82])
by mail3b2.westend.com (Postfix) with ESMTP id 8425D121276;
Mon, 26 Sep 2005 20:23:56 +0200 (CEST)
Date: Mon, 26 Sep 2005 20:23:55 +0200
From: Christian Hammers <[EMAIL PROTECTED]>
To: sean finney <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#330164: mysql-server-4.1: Authentication bypass
Message-ID: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
X-Mailer: Sylpheed-Claws 1.0.5 (GTK+ 1.2.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Hello
On 2005-09-26 sean finney wrote:
> > http://www.nextgenss.com/advisories/mysql-authbypass.txt
>
> - woody isn't affected, as it doesn't carry 4.x at all
> - sarge/4.1 isn't affected afaict, as it ships 4.1.11a.
> - as you stated in your next mail, it doesn't seem that sarge/4.0 is
> affected. - sarge doesn't carry a 5.0 version
> - thus all sid versions should be okay too.
After checking the advisory I would say that Sean is right, no Debian versions
are vulnerable any more as this advisory is really very old.
I close the bug report therefore.
bye,
-christian-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
