oss-sec mailing list archives
Re: CVE request: Debian's package "mysql-server" leaks credential information
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 08 Jun 2013 22:29:03 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/08/2013 04:44 AM, vladz wrote:
Hi, The file "/etc/mysql/debian.cnf", which contains plain text credentials for the "debian-sys-maint" mysql user, is created in an insecure manner during the package installation phase. This can lead a non-privileged local user to disclose its content and use this special account to perform administration tasks. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711600 Could you allocate CVE id for this issue? Thank you, vladz.
Please use CVE-2013-2162 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRtASPAAoJEBYNRVNeJnmTjXsP+gK3XOri7eJb9Sk58xWPbxDt lQlfUaG6V0ZQ/AnfH5VODMgqqF8m8ogEBO7Cmcx/Azz7j1fyuwl+dnSGBWFllZOL pjIMQ7OzxYGcJwVUzLygFTQrRohychLStJI3nVbX7q7gCg/G8nXs+BmpL5gvpIAI CbOBOrJpw4FSE87lLAfa4qFz9b3qZY39urwE1eFAcdi/paUQHFXkIbMCV96NdTBs PkUhEN9NxI93Gge8djoSh1L+vXNWxKDEAzA+mMyI9cOFr9JWW0oSAEy/XKnNFk9e 697+AnSkJ7j62LxbJNxBbkM5Ok/n9ja71XMBA1NRkELGgAoEf3wxPXAMzkN6ell7 AxcXiWY8pPS6ep6zETHFMqRGMYt+aQBFFfJyVFx3QYRyrSDwIqzZ0ovfGh2Qiw+2 G+oGAdznkgSeTHWuQdnTY/ntW9Ww9/zJyv09JrLEGL0huYjQepw/YhZyW1kIRfg8 LyVOMQEDmQZOtojwAabbl8IgsR5hnpwDIHxn2hD/9CDjcn0P5AlGT2k13vLPwiZQ Qlf65iBic5w+Vcc4atjEFiMpgRqhHdhszDsYLK/zrX5IukL4vdrOIWd48SwgxqBZ J/xMfp6JYptwEcVdeW0tWUQkPCoh4rckjx++hm670V12Z9KcHK109jIcopnY/YT5 0ZcJaLTY2tr8MerVYdy6 =XLf7 -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: Debian's package "mysql-server" leaks credential information, (continued)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Kurt Seifried (Jun 08)
- RE: CVE request: Debian's package "mysql-server" leaks credential information Christey, Steven M. (Jun 09)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Florian Weimer (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Henri Salo (Jun 10)