Hello.
On Thu, Nov 02, 2000 at 06:44:46PM +0200, tonu@stripped wrote:
> On Wed, 1 Nov 2000, Gia Lucas - Customer Engineering wrote:
>
> > I was just wondering what options I have to deal with the weak authentication
> > scheme used by mysql3.22.32. Is there a patch or newer version which resolves
> > this?
>
> What do you mean "weak"?
I assume he refers to the recent posting on this list which quoted a
CORE SDI ADVISORY, which appeared on BugTraq:
----------------------------------------------------------------------
Message-ID: <003201c03d97$f4746a40$0201a8c0@stripped>
From: "Basil Hussain" <basil.hussain@stripped>
To: "MySQL List" <mysql@stripped>
Subject: Fw: [CORE SDI ADVISORY] MySQL weak authentication
Date: Tue, 24 Oct 2000 09:54:01 +0100
Hi all,
This security advisory appeared on the BugTraq mailing list and I haven't
seen it mentioned here yet, so I'm just forwarding this to the MySQL list
for anyone who may be interested in reading it.
To cut a long story short, the advisory strongly recommends that you read
the following manual section:
http://www.mysql.com/documentation/mysql/commented/manual.php?section=Securi
ty
as well as implement SSH tunneling if you're connecting to a MySQL server
via an untrusted network.
And, yes, the MySQL developers appear to have been informed, so no-one needs
to go telling them again!
[...]
----------------------------------------------------------------------
But as the posting and the advisory already tell, there is no patch
and it is recommended to use an encrypted tunnel if TCP/IP is used. So
the answer was also in the advisory.
Bye,
Benjamin.
