This isn't a new bug. This was mentioned about a year ago.
Besides, this isn't just a mysqld problem - it's a problem that plagues ANY TCP/IP based
daemon. It's common sys admin sense NOT to run ANY daemon as root unless there is
absolutely, positively NO OTHER WAY to get it to run properly.
Benjamin Pflugmann <philemon@stripped> wrote:
> All your arguments are irrelevant regarding my post: Sergei stated
> that MySQL 3.23 would not be vulnerable to the posted exploit and I
> proved it is (respecting the rules given in the exploit). I never
> argued about the impact of the exploit.
> To be true, I am worried about the answers we get. First, I wonder
> about how Sergei was not able to repeat it, when I had no problem. A
> test case showing that it did not work for him would have been nice
> (sorry, Sergei, no harm intended).
> Then you simply "talk away" the harm of this exploit, and ignore what
> was said before. All your arguments may be valid, but have nothing to
> do with the fact that there is an exploitable bug, regardless how many
> impact it has.
> In fact, until now, nobody from MySQL even officially acknowledged that
> there is a problem, except implicitly by discussing it (on the
> mysql-list I mean... there was an answer on bugtraq).
> I wrote my last mail just because I already confirmed that problem
> with 3.23 after I read bugtraq and therefore knew, that Sergei must
> have tested in a different way than me.
"If you put three drops of poison into a 100 percent pure Java, you get - Windows. If you
put a few drops of Java into Windows, you still have Windows."
-- Sun Microsystems CEO, Scott McNealy
Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/