List:General Discussion« Previous MessageNext Message »
From:Benjamin Pflugmann Date:November 3 2000 10:34pm
Subject:Re: weak authentication scheme
View as plain text  

On Thu, Nov 02, 2000 at 06:44:46PM +0200, tonu@stripped wrote:
> On Wed, 1 Nov 2000, Gia Lucas - Customer Engineering wrote:
> > I was just wondering what options I have to deal with the weak authentication
> > scheme used by mysql3.22.32.  Is there a patch or newer version which resolves
> > this?
> What do you mean "weak"?

I assume he refers to the recent posting on this list which quoted a
CORE SDI ADVISORY, which appeared on BugTraq:

Message-ID: <003201c03d97$f4746a40$0201a8c0@stripped>
From: "Basil Hussain" <basil.hussain@stripped>
To: "MySQL List" <mysql@stripped>
Subject: Fw: [CORE SDI ADVISORY] MySQL weak authentication
Date: Tue, 24 Oct 2000 09:54:01 +0100

Hi all,

This security advisory appeared on the BugTraq mailing list and I haven't
seen it mentioned here yet, so I'm just forwarding this to the MySQL list
for anyone who may be interested in reading it.

To cut a long story short, the advisory strongly recommends that you read
the following manual section:

as well as implement SSH tunneling if you're connecting to a MySQL server
via an untrusted network.

And, yes, the MySQL developers appear to have been informed, so no-one needs
to go telling them again!

But as the posting and the advisory already tell, there is no patch
and it is recommended to use an encrypted tunnel if TCP/IP is used. So
the answer was also in the advisory.



weak authentication schemeGia Lucas - Customer Engineering1 Nov
  • Re: weak authentication schemeTonu Samuel2 Nov
    • Re: weak authentication schemeBenjamin Pflugmann4 Nov