List:General Discussion« Previous MessageNext Message »
From:Benjamin Pflugmann Date:November 3 2000 10:34pm
Subject:Re: weak authentication scheme
View as plain text  
Hello.

On Thu, Nov 02, 2000 at 06:44:46PM +0200, tonu@stripped wrote:
> On Wed, 1 Nov 2000, Gia Lucas - Customer Engineering wrote:
>
> > I was just wondering what options I have to deal with the weak authentication
> > scheme used by mysql3.22.32.  Is there a patch or newer version which resolves
> > this?
> 
> What do you mean "weak"?

I assume he refers to the recent posting on this list which quoted a
CORE SDI ADVISORY, which appeared on BugTraq:

----------------------------------------------------------------------
Message-ID: <003201c03d97$f4746a40$0201a8c0@stripped>
From: "Basil Hussain" <basil.hussain@stripped>
To: "MySQL List" <mysql@stripped>
Subject: Fw: [CORE SDI ADVISORY] MySQL weak authentication
Date: Tue, 24 Oct 2000 09:54:01 +0100

Hi all,

This security advisory appeared on the BugTraq mailing list and I haven't
seen it mentioned here yet, so I'm just forwarding this to the MySQL list
for anyone who may be interested in reading it.

To cut a long story short, the advisory strongly recommends that you read
the following manual section:

http://www.mysql.com/documentation/mysql/commented/manual.php?section=Securi
ty

as well as implement SSH tunneling if you're connecting to a MySQL server
via an untrusted network.

And, yes, the MySQL developers appear to have been informed, so no-one needs
to go telling them again!
[...]
----------------------------------------------------------------------

But as the posting and the advisory already tell, there is no patch
and it is recommended to use an encrypted tunnel if TCP/IP is used. So
the answer was also in the advisory.

Bye,

        Benjamin.

Thread
weak authentication schemeGia Lucas - Customer Engineering1 Nov
  • Re: weak authentication schemeTonu Samuel2 Nov
    • Re: weak authentication schemeBenjamin Pflugmann4 Nov