Re: Authentication against mysql

[Eric Gauthier <eric at roxanne.org>]

Hello,

As a side note to this discussion, I heard of a set of vulnerabilities
in MySQL yesterday that are patched in their latest version - 
MySQL 3.23.54 - so you might want to doublecheck that you are running
this version before you get too far along in your build/testing.  I haven't 
seen a CERT advisory on this yet but the first few bullet points on 
the 3.23.54 release notes page seem to imply that the vulnerabilities are 
real:

http://www.mysql.com/doc/en/News-3.23.54.html
Changes in release 3.23.54 (5 Dec 2002)
 * Fixed a bug, that allowed to crash mysqld with a specially crafted packet.
 * Fixed a rare crash (double free'd pointer) when altering a temporary table.
 * Fixed buffer overrun in libmysqlclient library that allowed malicious 
   MySQL server to crash the client application.
 * Fixed security-related bug in mysql_change_user() handling. All users
   are strongly recommended to upgrade to the version 3.23.54.
 * Fixed bug that prevented --chroot command-line option of mysqld from 
   working.
Here's the vulnerability notice I saw...
http://security.e-matters.de/advisories/042002.html

Eric :)

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org