oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Debian's package "mysql-server" leaks credential information

From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 08 Jun 2013 22:29:03 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/08/2013 04:44 AM, vladz wrote:

Hi,

The file "/etc/mysql/debian.cnf", which contains plain text
credentials for the "debian-sys-maint" mysql user, is created in an
insecure manner during the package installation phase.  This can
lead a non-privileged local user to disclose its content and use
this special account to perform administration tasks.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600

Could you allocate CVE id for this issue?

Thank you, vladz.



Please use CVE-2013-2162 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRtASPAAoJEBYNRVNeJnmTjXsP+gK3XOri7eJb9Sk58xWPbxDt
lQlfUaG6V0ZQ/AnfH5VODMgqqF8m8ogEBO7Cmcx/Azz7j1fyuwl+dnSGBWFllZOL
pjIMQ7OzxYGcJwVUzLygFTQrRohychLStJI3nVbX7q7gCg/G8nXs+BmpL5gvpIAI
CbOBOrJpw4FSE87lLAfa4qFz9b3qZY39urwE1eFAcdi/paUQHFXkIbMCV96NdTBs
PkUhEN9NxI93Gge8djoSh1L+vXNWxKDEAzA+mMyI9cOFr9JWW0oSAEy/XKnNFk9e
697+AnSkJ7j62LxbJNxBbkM5Ok/n9ja71XMBA1NRkELGgAoEf3wxPXAMzkN6ell7
AxcXiWY8pPS6ep6zETHFMqRGMYt+aQBFFfJyVFx3QYRyrSDwIqzZ0ovfGh2Qiw+2
G+oGAdznkgSeTHWuQdnTY/ntW9Ww9/zJyv09JrLEGL0huYjQepw/YhZyW1kIRfg8
LyVOMQEDmQZOtojwAabbl8IgsR5hnpwDIHxn2hD/9CDjcn0P5AlGT2k13vLPwiZQ
Qlf65iBic5w+Vcc4atjEFiMpgRqhHdhszDsYLK/zrX5IukL4vdrOIWd48SwgxqBZ
J/xMfp6JYptwEcVdeW0tWUQkPCoh4rckjx++hm670V12Z9KcHK109jIcopnY/YT5
0ZcJaLTY2tr8MerVYdy6
=XLf7
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: