oss-sec mailing list archives
Re: CVE request: Debian's package "mysql-server" leaks credential information
From: gremlin () gremlin ru
Date: Mon, 10 Jun 2013 15:26:30 +0400
On 08-Jun-2013 13:28:28 -0400, Daniel Kahn Gillmor wrote:
That's not a security issue, but a misconfigurationI consider this a security bug in the debian package's maintainer scripts: it is a race condition that leaks confidential information
Package post-install scripts are closer to configuration.
(alas, very common for Deb*an packages)If you know of more bugs like this, please report them with an e-mail to submit () bugs debian org with the first line "Package: FOO" (where "FOO" is replaced by the name of the buggy package). Thanks!
I know lots (even for MySQL, which we are discussing, I can recall at least mysqldump producing trash, or several replication issues), but I don't want to waste my time. P.S.: http://pics.rsh.ru/img/debipoke_demo_itnrnj4r.png :-) -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- CVE request: Debian's package "mysql-server" leaks credential information vladz (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Kurt Seifried (Jun 08)
- RE: CVE request: Debian's package "mysql-server" leaks credential information Christey, Steven M. (Jun 09)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Florian Weimer (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Henri Salo (Jun 10)