Your message dated Sat, 18 Jan 2014 22:20:03 +0000 with message-id <e1w4efh-0003nv...@franck.debian.org> and subject line Bug#732306: fixed in mysql-5.5 5.5.35+dfsg-1 has caused the Debian Bug report #732306, regarding mysql-5.5: installation creates database test and sets up insecure database permissions to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 732306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732306 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mysql-5.5 Version: 5.5.17-1 Severity: serious Tags: security [Opening this as serious, as stable will be fixed trough a wheezy-security upload, and nees also be addressed for jessie] Matthias Reichl reported the following issue with the mysql-5.5 package: ----cut---------cut---------cut---------cut---------cut---------cut----- mysql-server-5.5 ships with the upstream mysql_install_db script which creates a database "test" and sets up permissions that allow anonymous access, without a password, from localhost to the "test" database and any databases starting with "test_" that users might have created after installing mysql-server. mysql> select Host, User, Db from mysql.db; +------+------+---------+ | Host | User | Db | +------+------+---------+ | % | | test | | % | | test\_% | +------+------+---------+ MySQL documentation recommends dropping these permissions and the "test" database. http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html , section "Securing Test Databases". mysql-server-5.1 in squeeze didn't setup these permissions and didn't create the test database, the debian patches 33_scripts__mysql_create_system_tables__no_test.dpatch and 41_scripts__mysql_install_db.sh__no_test.dpatch removed the code from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql . Please re-add these patches to mysql-server-5.5 and include some code in the pre/postinst script to remove these permissions and the "test" database on current installations. ----cut---------cut---------cut---------cut---------cut---------cut----- Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mysql-5.5 Source-Version: 5.5.35+dfsg-1 We believe that the bug you reported is fixed in the latest version of mysql-5.5, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 732...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Page <jamesp...@debian.org> (supplier of updated mysql-5.5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 18 Jan 2014 21:38:18 +0000 Source: mysql-5.5 Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5 Architecture: source all amd64 Version: 5.5.35+dfsg-1 Distribution: unstable Urgency: low Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org> Changed-By: James Page <jamesp...@debian.org> Description: libmysqlclient-dev - MySQL database development files libmysqlclient18 - MySQL database client library libmysqld-dev - MySQL embedded database development files libmysqld-pic - PIC version of MySQL embedded server development files mysql-client - MySQL database client (metapackage depending on the latest versio mysql-client-5.5 - MySQL database client binaries mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf mysql-server - MySQL database server (metapackage depending on the latest versio mysql-server-5.5 - MySQL database server binaries and system database setup mysql-server-core-5.5 - MySQL database server binaries mysql-source-5.5 - MySQL source mysql-testsuite-5.5 - MySQL testsuite Closes: 711600 732306 Changes: mysql-5.5 (5.5.35+dfsg-1) unstable; urgency=low . [ Clint Byrum ] * Drop creation of insecure database permissions (Closes: #732306): - d/p/33_scripts__mysql_create_system_tables__no_test.patch, d/p/41_scripts__mysql_install_db.sh__no_test.patch, d/p/50_mysql-test__db_test.patch: Restored from mysql-5.1 package, inadvertently dropped in 5.5 transition. This removes the global anonymous access to the database which is a security concern. . [ James Page ] * New upstream release: - d/p/fix-racey-rpltests.patch: Dropped - no longer required. - d/p/50_mysql-test__db_test.patch: Add extra permissions to mysql-run-tests.pl for test_% accounts, fixing failing tests. - d/p/*: Refreshed patches. - SECURITY UPDATE: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - CVE-2013-5891 - CVE-2013-5908 - CVE-2014-0386 - CVE-2014-0393 - CVE-2014-0401 - CVE-2014-0402 - CVE-2014-0412 - CVE-2014-0420 - CVE-2014-0437 * Sync changes from NMU 5.5.33+dfsg-0+wheezy1: - d/NEWS: Add NEWS file to document changes needed to existing databases to drop insecure database permissions. - SECURITY UPDATE: Insecure creation of the credential file debian.cnf. - d/mysql-server-5.5.postinst: Set umask to 066 before creating debian.cnf file (Closes: #711600). - CVE-2013-2162 - d/copyright: Update copyright years for upstream files. * d/control: Update VCS field for new git location. * d/control: Add myself to Uploaders. * d/*: Wrap and sort. * d/control: Bumped Standards-Version, no changes. Checksums-Sha1: a88795a262a449b6aa60dad2a09a256df756bf18 2954 mysql-5.5_5.5.35+dfsg-1.dsc ede7015b698bef5ede4c59a7a9d428b2a679ac77 21707804 mysql-5.5_5.5.35+dfsg.orig.tar.gz 4465d07fe84783f5d3ffde67f8575bc151f3d0bc 230288 mysql-5.5_5.5.35+dfsg-1.debian.tar.xz af34ac61271d377e7d53abf7b528eb6930be384c 84470 mysql-common_5.5.35+dfsg-1_all.deb f3d02067bd71cf26e9756f8ab53b105fb58dfc5e 82720 mysql-server_5.5.35+dfsg-1_all.deb cd38aff42365c60139b34d7c379c520e3c2099a2 82596 mysql-client_5.5.35+dfsg-1_all.deb 5d8398958dd1624be5736c04912e3120b65b5ba2 679070 libmysqlclient18_5.5.35+dfsg-1_amd64.deb a62972bc7defb8491c0a1b2d82788fa746c32422 3168336 libmysqld-pic_5.5.35+dfsg-1_amd64.deb 5156f5a82edeeed26433d0776f4a1b3bc713c55b 3168400 libmysqld-dev_5.5.35+dfsg-1_amd64.deb c8ac5fe33f91928a14a6c2ff8a57aff38e5fde37 949164 libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb e7cb1c6914aac77f65b39e651eac4a2955f85c3c 1843556 mysql-client-5.5_5.5.35+dfsg-1_amd64.deb 6ab771bcd0ab4db209fd557e844a0007fd592edc 3784472 mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb 1c83b933b2a2b9227a8ecbf62a5cb770173c38bc 2031168 mysql-server-5.5_5.5.35+dfsg-1_amd64.deb c82ab5ed2f7bf34322dd7cef7518828213f7eb02 4343536 mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb 3286f2e933418bebb4f21e1d5a319b649475d645 22830820 mysql-source-5.5_5.5.35+dfsg-1_amd64.deb Checksums-Sha256: 613c90c08ee106f883f50e7b36fe7c19f0661c39d8ee9568db9eb11788af050d 2954 mysql-5.5_5.5.35+dfsg-1.dsc 46f28f6907438f2abf97dfbf1124f1c0568d4c60fc370664755cf51c5dae664a 21707804 mysql-5.5_5.5.35+dfsg.orig.tar.gz 9c3da35cce0d3cc68af6552a20d381b571db05b29a53463986b2bb89e4fc560c 230288 mysql-5.5_5.5.35+dfsg-1.debian.tar.xz 36af86baac51e9d55997dfa03982d66858c4481e7a790ce9a12ce6df2f4fc790 84470 mysql-common_5.5.35+dfsg-1_all.deb b88528aaf1cb14765f311e40160f27a57acd95f7436d3d50b1aef382c97c2ad0 82720 mysql-server_5.5.35+dfsg-1_all.deb 5909264f4315695e34610ff54c02258ca02e3e5876bfe4d4004906e30db4fb22 82596 mysql-client_5.5.35+dfsg-1_all.deb caae3218d8be3efa92ce520a92a7b2ec85b6184e16f45162e72023c0646c6f28 679070 libmysqlclient18_5.5.35+dfsg-1_amd64.deb 68b9e4ac56ec5b2548e16f2dd6fbabf18d0cf9a128cbe7ad11797a31f6ce1cb3 3168336 libmysqld-pic_5.5.35+dfsg-1_amd64.deb cee07ea9fea27692bda9dd86ab9b456d4f36303e79ab2e6ac48bda01b696d2c2 3168400 libmysqld-dev_5.5.35+dfsg-1_amd64.deb 4b6aa4dba8d12fde4979dee122833d1c360f3b7406683837977dfaa4eb44333e 949164 libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb 6fd7f374ab755a9456cc58a14f2f0a229a12ef1818e0cd22d425d2bd3ce9b291 1843556 mysql-client-5.5_5.5.35+dfsg-1_amd64.deb 18edcd67733279928491fb0e69be52cc7bcf73a89d28c04046f855786ca24312 3784472 mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb 182464883dcfc4ffff3266e21f348401ca7c41a436914ca22b83459d45f280a4 2031168 mysql-server-5.5_5.5.35+dfsg-1_amd64.deb 6573c412542f9ee96a6a0cc566523f395a2aeda0f7dd0cfb8d020497dd3e287e 4343536 mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb bbd337244f0a55d1707654357acbcbdbf29ada03211e8737df7c0b45025d9da7 22830820 mysql-source-5.5_5.5.35+dfsg-1_amd64.deb Files: 1b001d677be74465db2be9fb1b3fc533 2954 database optional mysql-5.5_5.5.35+dfsg-1.dsc 56f833052b579b7d4a2b16326cda6990 21707804 database optional mysql-5.5_5.5.35+dfsg.orig.tar.gz 684ab6c22754f363c5915d26777d5376 230288 database optional mysql-5.5_5.5.35+dfsg-1.debian.tar.xz fa2e7c65f352c198ac53f059a49f2fc1 84470 database optional mysql-common_5.5.35+dfsg-1_all.deb 5afdcbb3181c2d5d27333b19ed65f705 82720 database optional mysql-server_5.5.35+dfsg-1_all.deb 0f6cadb759d6b60fe2fe06148275cc36 82596 database optional mysql-client_5.5.35+dfsg-1_all.deb 56511175968616f253db6fda495fc6f1 679070 libs optional libmysqlclient18_5.5.35+dfsg-1_amd64.deb 0cfd6ccac4cb1de752e43464ddec525f 3168336 libdevel optional libmysqld-pic_5.5.35+dfsg-1_amd64.deb 348c7caa679c7a2ae40268057ba80d25 3168400 libdevel optional libmysqld-dev_5.5.35+dfsg-1_amd64.deb 2d977839265fbce12634c9e3a5d4341a 949164 libdevel optional libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb 459879450295a67353072914264fd430 1843556 database optional mysql-client-5.5_5.5.35+dfsg-1_amd64.deb 8d0494c03876fffe631937b7787cc597 3784472 database optional mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb 17bddb8053fb75cbcee90e1962bdd2a8 2031168 database optional mysql-server-5.5_5.5.35+dfsg-1_amd64.deb 45787d76cbc0be19b4cbbc7ecd50c623 4343536 database optional mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb c49924146473bfee13f25d1ee577b0c2 22830820 database optional mysql-source-5.5_5.5.35+dfsg-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCAAGBQJS2vyWAAoJEL/srsug59jD/k4P/0MGyjheKz/h9OURmWgAe3Ow +Z3Fi4iAjm6JwXfUo2vvdd3A/yx4J1nZl+skjwaEBLzqgteNHF7uCPRyLB+gUorg oVJ/IxpGr2onEgH9B6cfhjfl3uKrAZlULgkOVPbHLfEQ8ZzQp5lrjJ/hAbDK6Scf Rm6mLEhbpl1VVHH45T792l/oo/X9YOinTdRrPPWFzfsjMEB+fskTcpNFMiSl6VjB BUXZa2gZq9aUWDJiPuiaVXnsFDX0Ow9rJrXHe5epPZPzC9HXFqnvf1y/ZQMwiWcs MADnyULDFb6Uyj+iDTnkA3xoeRTYfMm6Je8m66Kc5kjtqXbJ76rASY7yRCDQJBL/ UbRFdUzzCfuO37Qqts7CcPgiCgC3baH1z0fPf2Otukq15Z5sQNayB3/5hK3iPUeR Ba0hE6HE2uv1NLK/9F9p/8345a8M8sXMi31Ikq7cooNXJK7vfR5E+D+2lRkv8jVl FjbWJoRJbzy4aylkTE7ODOLr0ucqi8+HR5RQoZwfho84gNK8uF7XiE2599g3L1iS 1jrvzXMXtx/qMp9AXMDJ1MyXFsB76PdxS19ERnsdiBYDoUtEI5NMsd0TxrXAAmLN Q6VlgooHXzi5pJATim9xwRVL7RxgKGJFAAReQVUsMVhlVi8F6q+5oLBug09FHR8b cx/TXRz1e7SOTR9/E4L2 =ldt+ -----END PGP SIGNATURE-----
--- End Message ---
