lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030121103922.B11843@netsys.com>
From: len at netsys.com (Len Rose)
Subject: [serg@...ql.com: Re: MySQL 3.23.54a can be crased with a exploit for 3.23.53]

----- Forwarded message from Sergei Golubchik <serg@...ql.com> -----

Mailing-List: contact mysql-help@...ts.mysql.com; run by ezmlm (http://www.ezmlm.org)
List-ID: <mysql.mysql.com>
Precedence: bulk
List-Help: <mailto:mysql-help@...ts.mysql.com>
List-Unsubscribe: <mailto:mysql-unsubscribe-len=netsys.com@...ts.mysql.com>
List-Post: <mailto:mysql@...ts.mysql.com>
List-Subscribe: <mailto:mysql-subscribe@...ts.mysql.com>
Delivered-To: mailing list mysql@...ts.mysql.com
Date: Tue, 21 Jan 2003 16:19:42 +0100
From: Sergei Golubchik <serg@...ql.com>
To: Dennis Kruyt <d.kruyt@...nl>
Cc: bugtraq@...urityfocus.com, bugs@...ts.mysql.com, mysql@...ts.mysql.com
Subject: Re: MySQL 3.23.54a can be crased with a exploit for 3.23.53
Mail-Followup-To: Dennis Kruyt <d.kruyt@...nl>, bugtraq@...urityfocus.com,
	bugs@...ts.mysql.com, mysql@...ts.mysql.com
In-Reply-To: <1A231876B7149843A53D220337C84A0009DA85@...hange-test.office.zx.nl>
User-Agent: Mutt/1.5.1i

Hi!

On Jan 21, Dennis Kruyt wrote:
> Hi,
> 
> When I try the hoagie_mysql exploit from http://void.at/releases.html
> on a 3.23.54a MySQL server (witch sould be safe) then i can crash the
> database with this.
> 
> How did I do it?
> 
> I start hoagie_mysql with a valid db user (not root). Then press ctrl-c
> (abort) and start the tool again. Now the tool has reported that the
> attack has failed. But the MySQL db is restarted if i look in the error
> log and some normal connectie to the database then will fail. I have
> tried it on several server with success.

You should've contacted us (using security@...ql.com) first
so we'd be able to release fixed version :(

Anyway, this is fixed. 3.23.55 will be released soon.
For impatients, there's our bk tree, available publicaly

Thanks for bugreport.

Regards,
Sergei

-- 
MySQL Development Team
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@...ql.com>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
       <___/

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <mysql-thread130516@...ts.mysql.com>
To unsubscribe, e-mail <mysql-unsubscribe-len=netsys.com@...ts.mysql.com>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

----- End forwarded message -----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ