Your message dated Tue, 17 Apr 2007 01:02:06 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#418672: fixed in mysql-dfsg-5.0 5.0.38-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: mysql-server-5.0 Version: 5.0.38-1 Severity: critical Tags: security Justification: root security hole Hi, I pressed Enter when it asked for a new password for root (root already had a password). Three rows were inserted into mysql.user: (0x6c6f63616c686f7374, 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0), (0x632e787769732e6e6574, 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0), (0x3132372e302e302e31, 0x726f6f74, '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 0, 0, 0, 0); One for 127.0.0.1, one for localhost and one for 'hostname'. [EMAIL PROTECTED]:~$ mysql -u root -p Enter password: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO) [EMAIL PROTECTED]:~$ sudo apt-get upgrade Reading package lists... Done Building dependency tree... Done The following packages will be upgraded: mysql-server-5.0 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/25.4MB of archives. After unpacking 287kB of additional disk space will be used. Do you want to continue [Y/n]? Preconfiguring packages ... (Reading database ... 32257 files and directories currently installed.) Preparing to replace mysql-server-5.0 5.0.36-1 (using .../mysql-server-5.0_5.0.38-1_i386.deb) ... Stopping MySQL database server: mysqld. Stopping MySQL database server: mysqld. Unpacking replacement mysql-server-5.0 ... Setting up mysql-server-5.0 (5.0.38-1) ... Stopping MySQL database server: mysqld. Starting MySQL database server: mysqld. Checking for corrupt, not cleanly closed and upgrade needing tables.. Configuring mysql-server-5.0 ---------------------------- It is highly recommended that you set a password for the MySQL administrative "root" user. If you do not provide a password no changes will be made to the account. New password for MySQL "root" user: [EMAIL PROTECTED]:~$ mysql -u root -p Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 10 Server version: 5.0.38-Debian_1-log Debian etch distribution Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (1, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores) Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages mysql-server-5.0 depends on: ii adduser 3.102 Add and remove users and groups ii debconf [debconf-2.0] 1.5.13 Debian configuration management sy ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libdbi-perl 1.53-1 Perl5 database interface by Tim Bu ii libgcc1 1:4.1.1-21 GCC support library ii libmysqlclient15off 5.0.38-1 mysql database client library ii libncurses5 5.5-5 Shared libraries for terminal hand ii libreadline5 5.2-2 GNU readline and history libraries ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii mysql-client-5.0 5.0.38-1 mysql database client binaries ii mysql-common 5.0.38-1 mysql database common files (e.g. ii passwd 1:4.0.18.1-7 change and administer password and ii perl 5.8.8-7 Larry Wall's Practical Extraction ii psmisc 22.3-1 Utilities that use the proc filesy ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages mysql-server-5.0 recommends: ii mailx 1:8.1.2-0.20050715cvs-1 A simple mail user agent -- debconf information: mysql-server-5.0/really_downgrade: false * mysql-server-5.0/need_sarge_compat: false mysql-server-5.0/start_on_boot: true mysql-server/error_setting_password: mysql-server-5.0/mysql_update_hints1: mysql-server-5.0/nis_warning: mysql-server-5.0/postrm_remove_databases: false mysql-server-5.0/need_sarge_compat_done: true mysql-server-5.0/no_upgrade_with_isam_tables: * mysql-server-5.0/mysql_install_db_notes:
--- End Message ---
--- Begin Message ---Source: mysql-dfsg-5.0 Source-Version: 5.0.38-2 We believe that the bug you reported is fixed in the latest version of mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive: libmysqlclient15-dev_5.0.38-2_amd64.deb to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.38-2_amd64.deb libmysqlclient15off_5.0.38-2_amd64.deb to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.38-2_amd64.deb mysql-client-5.0_5.0.38-2_amd64.deb to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.38-2_amd64.deb mysql-client_5.0.38-2_all.deb to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.38-2_all.deb mysql-common_5.0.38-2_all.deb to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.38-2_all.deb mysql-dfsg-5.0_5.0.38-2.diff.gz to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.38-2.diff.gz mysql-dfsg-5.0_5.0.38-2.dsc to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.38-2.dsc mysql-server-4.1_5.0.38-2_amd64.deb to pool/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.38-2_amd64.deb mysql-server-5.0_5.0.38-2_amd64.deb to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.38-2_amd64.deb mysql-server_5.0.38-2_all.deb to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.38-2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Hammers <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-5.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 17 Apr 2007 01:00:41 +0200 Source: mysql-dfsg-5.0 Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server mysql-server-4.1 mysql-server-5.0 mysql-common libmysqlclient15off Architecture: source all amd64 Version: 5.0.38-2 Distribution: unstable Urgency: high Maintainer: Christian Hammers <[EMAIL PROTECTED]> Changed-By: Christian Hammers <[EMAIL PROTECTED]> Description: libmysqlclient15-dev - mysql database development files libmysqlclient15off - mysql database client library mysql-client - mysql database client (meta package depending on the latest versi mysql-client-5.0 - mysql database client binaries mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf) mysql-server - mysql database server (meta package depending on the latest versi mysql-server-4.1 - mysql database server (transitional package) mysql-server-5.0 - mysql database server binaries Closes: 418672 Changes: mysql-dfsg-5.0 (5.0.38-2) unstable; urgency=high . * SECURITY: In some previous versions mysql_install_db was not idempotent and did always create passwordless root accounts although it should only on initial installs (thanks to Olaf van der Spek). Closes: #418672 * Added check for passwordless root accounts to debian-start. * As MySQL-5.0 is, at least currently, incompatible with Kernel 2.4 the installation is aborted for such old kernels. Debian Etch does not support them anyway according to the release notes but this might be unexpected and many production servers still have self build ones installed (thanks to Marc-Christian Petersen). See: #416841 * Adjusted TeX build-deps to texlive. Files: ed55d0c23147282b9015e567f7af2c59 1090 misc optional mysql-dfsg-5.0_5.0.38-2.dsc 64da8dc7cbd291d19cfd21c10cd83f01 146029 misc optional mysql-dfsg-5.0_5.0.38-2.diff.gz 0e581d3afa355e7da0e41e58b38f6982 54322 misc optional mysql-common_5.0.38-2_all.deb e596e1e70b640aa625531c9542868d2a 47478 misc optional mysql-server_5.0.38-2_all.deb 86ef52026f99ec8636a43bcf5a3523a6 45266 misc optional mysql-client_5.0.38-2_all.deb e5c6746db995751e7858643cbac929f6 1838220 libs optional libmysqlclient15off_5.0.38-2_amd64.deb dfc8a3407f082ec23d63807ececebad1 7409422 libdevel optional libmysqlclient15-dev_5.0.38-2_amd64.deb 644a2c812c9cb5b7e4a3a5e574aac00f 7585834 misc optional mysql-client-5.0_5.0.38-2_amd64.deb 2fa9db5a4371c8763968ba9cf7abb167 26064750 misc optional mysql-server-5.0_5.0.38-2_amd64.deb fcfb5d69249ff2e0ab3fe22748378a53 47364 oldlibs extra mysql-server-4.1_5.0.38-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iEYEARECAAYFAkYkGhYACgkQkR9K5oahGOaNtwCgunCq0tXEjfmKkehDXqslQoQv cJcAoJQJpCkwCEs3JQ4YeNQyncRexlQ4 =ktEq -----END PGP SIGNATURE-----
--- End Message ---
