oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Debian's package "mysql-server" leaks credential information

From: gremlin () gremlin ru
Date: Sat, 8 Jun 2013 15:33:16 +0400
On 08-Jun-2013 07:22:44 -0400, larry Cashdollar wrote:


According to the bug report details that's a race condition.
A malicious user is using a vulnerability in the way the
installation script handles changing file permissions to disclose
sensitive information.


Yes. And, once again, that's a misconfiguration - the file should
be created as 0600 root:root during installation and only after
that chmod() and chown() may be applied.


On Jun 8, 2013, at 7:00 AM, gremlin () gremlin ru wrote:


- Because it messes up the order in which people normally read text.
- Why top-posting is considered the most annoying thing in messages?


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Previous By Date Next
Previous By Thread Next

Current thread: