oss-sec mailing list archives
Re: CVE request: Debian's package "mysql-server" leaks credential information
From: larry Cashdollar <larry0 () me com>
Date: Sat, 08 Jun 2013 07:43:21 -0400
On Jun 8, 2013, at 7:33 AM, gremlin () gremlin ru wrote:
On 08-Jun-2013 07:22:44 -0400, larry Cashdollar wrote:According to the bug report details that's a race condition. A malicious user is using a vulnerability in the way the installation script handles changing file permissions to disclose sensitive information.Yes. And, once again, that's a misconfiguration - the file should be created as 0600 root:root during installation and only after that chmod() and chown() may be applied.
I'd agree if this were a configuration file we were talking about, but it's an installation script.
On Jun 8, 2013, at 7:00 AM, gremlin () gremlin ru wrote:- Because it messes up the order in which people normally read text. - Why top-posting is considered the most annoying thing in messages?
My apologies.
-- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- CVE request: Debian's package "mysql-server" leaks credential information vladz (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Kurt Seifried (Jun 08)
- RE: CVE request: Debian's package "mysql-server" leaks credential information Christey, Steven M. (Jun 09)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Florian Weimer (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Henri Salo (Jun 10)