MySql - logging in without knowing password

Support for security such as Firewalls and securing linux
Post Reply
angelo
Posts: 2
Joined: 2012/06/11 10:21:13

MySql - logging in without knowing password

Post by angelo » 2012/06/11 10:33:36

Good morning/afternoon.

First of all I should clarify that server maintenance is not my stronger point so forgive me if I ask newbie questions or don't show enough knowledge about some technical security issues related to server admin.

As I was scanning some websites for my morning updates I found a security issue in MySql (my version 5.0.95 is included), link below explains the issue in greater detail:
http://seclists.org/oss-sec/2012/q2/493

I'm running CentOS 5, I installed mysql through yum (yum install mysql-server mysql), I assume this is a binary installation?, therefore is not affected by the bug, citing the article "As far as I know, official vendor MySQL and MariaDB binaries are not vulnerable."

Could anyone confirm this or please point me to the right direction so I can fix this issue if there is one.

Thank you.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: MySql - logging in without knowing password

Post by TrevorH » 2012/06/11 13:17:11

https://bugzilla.redhat.com/show_bug.cgi?id=814605

angelo
Posts: 2
Joined: 2012/06/11 10:21:13

Re: MySql - logging in without knowing password

Post by angelo » 2012/06/11 13:54:13

Thank you Trevor,

For everyone that is a newbie like me I will detail (in my understanding) the easiest way to make sure you are protected from this bug.

1 - Modify the my.cnf (mySql configuration file) forcing mysql to just bind to localhost
add the line "bind-address = 127.0.0.1" to your my.cnf

2 - If you want to test if you are vulnerable you can use this code: http://pastie.org/4064638 just do "gcc name_of_the_file.c" and run the .out file.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: MySql - logging in without knowing password

Post by TrevorH » 2012/06/11 13:56:43

That bugzilla explicitly states that RHEL 4, 5 and 6 are not vunerable to this bug. Limiting the listen address to localhost is fine if your server does not need to be accessible to other systems but if it does, then you are still not vulnerable to this bug anyway.

gigglesworth
Posts: 9
Joined: 2005/05/23 22:57:10
Location: Berkeley, CA
Contact:

MySql - logging in without knowing password

Post by gigglesworth » 2012/06/12 21:56:52

And here is the official word from the CentOS security team. RHEL is not vulnerable, therefore CentOS is not vulnerable.

http://lists.centos.org/pipermail/centos/2012-June/126719.html

-= Stefan

Post Reply