Package: mysql-5.5 Version: 5.5.17-1 Severity: serious Tags: security [Opening this as serious, as stable will be fixed trough a wheezy-security upload, and nees also be addressed for jessie]
Matthias Reichl reported the following issue with the mysql-5.5 package: ----cut---------cut---------cut---------cut---------cut---------cut----- mysql-server-5.5 ships with the upstream mysql_install_db script which creates a database "test" and sets up permissions that allow anonymous access, without a password, from localhost to the "test" database and any databases starting with "test_" that users might have created after installing mysql-server. mysql> select Host, User, Db from mysql.db; +------+------+---------+ | Host | User | Db | +------+------+---------+ | % | | test | | % | | test\_% | +------+------+---------+ MySQL documentation recommends dropping these permissions and the "test" database. http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html , section "Securing Test Databases". mysql-server-5.1 in squeeze didn't setup these permissions and didn't create the test database, the debian patches 33_scripts__mysql_create_system_tables__no_test.dpatch and 41_scripts__mysql_install_db.sh__no_test.dpatch removed the code from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql . Please re-add these patches to mysql-server-5.5 and include some code in the pre/postinst script to remove these permissions and the "test" database on current installations. ----cut---------cut---------cut---------cut---------cut---------cut----- Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
