From: Jan Steinman Date: November 13 2010 9:32pm Subject: RE: FW: [USN-1017-1] MySQL vulnerabilities List-Archive: http://lists.mysql.com/mysql/223581 Message-Id: <688EE349-275A-4813-A876-7CE82680EFD4@Bytesmiths.com> MIME-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable > From: "Daevid Vincent" >=20 > my point exactly. there is NONE. and if you don't patch your mysql as > needed, then you will need a lot more help when you're hacked. ;-p I note that the impact of every single one of these vulnerabilities was = "An authenticated user could exploit this to make MySQL crash, causing a = denial of service." That's a pretty low threat level. No mention was made of gaining or = increasing access, nor of corrupting data. First, you need an "authenticated user" who is trying to "exploit" a = vulnerability to cause "denial of service." If you're allowing a publicly accessible pseudo-user to exploit such = vulnerabilities through script injection, that's YOUR problem! If an "authenticated user" causes a "MySQL crash" on my system, they get = de-authenticated pretty quickly. :-) ---------------- No rational person can see how using up the topsoil or the fossil fuels = as quickly as possible can provide greater security for the future, but = if enough wealth and power can conjure up the audacity to say that it = can, then sheer fantasy is given the force of truth; the future becomes = reckonable as even the past has never been. -- Wendell Berry :::: Jan Steinman, EcoReality Co-op ::::