[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <04Feb23.091039cet.118556@fd.hif.hu>
From: adam at hif.hu (Szilveszter Adam)
Subject: Proofpoint Protection Server remote MySQL r
oot user vulnerability
Tony Kava wrote:
> Are you sure this is the default behaviour of a Red Hat installation? Your
> advisory does not indicate any specific version(s) of Red Hat Linux. Is
> this supposed to apply to RHL 7.2? 7.3? 8.0? 9.0? Fedora 1? In my previous
> experience with the 'mysql-server' package on any Red Hat the root user is
> granted full access without a password, but that is limited only to
> connections from the localhost. I've verified that the most up-to-date
> 'mysql-server' package for Red Hat Enterprise Linux 3 still falls in the 3.x
> version, not 4.x. The package name is mysql-server-3.23.58-1. Additionally
> with this package from Red Hat the root user without a password is limited
> to the localhost only.
Of course it sometimes helps to read the text of the advisory carefully.
Then you will be able to find out that it deals with an *embedded* mysql
server that comes with Proofpoint Protection Server, not the
mysql-server package that comes with <you name it> release of RH/Fedora.
This is why one should be always careful when evaluating products that
have embedded components: one cannot assume that the emebdded components
are up-to-date security-wise.
Regards:
Sz.
Powered by blists - more mailing lists