lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <04Feb23.091039cet.118556@fd.hif.hu>
From: adam at hif.hu (Szilveszter Adam)
Subject: Proofpoint Protection Server remote MySQL r
  oot user vulnerability

Tony Kava wrote:

> Are you sure this is the default behaviour of a Red Hat installation? Your
> advisory does not indicate any specific version(s) of Red Hat Linux.  Is
> this supposed to apply to RHL 7.2? 7.3? 8.0? 9.0? Fedora 1? In my previous
> experience with the 'mysql-server' package on any Red Hat the root user is
> granted full access without a password, but that is limited only to
> connections from the localhost.  I've verified that the most up-to-date
> 'mysql-server' package for Red Hat Enterprise Linux 3 still falls in the 3.x
> version, not 4.x.  The package name is mysql-server-3.23.58-1.  Additionally
> with this package from Red Hat the root user without a password is limited
> to the localhost only.

Of course it sometimes helps to read the text of the advisory carefully. 
Then you will be able to find out that it deals with an *embedded* mysql 
server that comes with Proofpoint Protection Server, not the 
mysql-server package that comes with <you name it> release of RH/Fedora.

This is why one should be always careful when evaluating products that 
have embedded components: one cannot assume that the emebdded components 
are up-to-date security-wise.

Regards:
Sz.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ